修复CVE-2022-22885，HttpGlobalConfig可选关闭信任host

2025-07-21 15:09:48 +08:00 · 2024-03-12 10:29:38 +08:00
parent f2e154f5b5
commit f15612cd55
3 changed files with 28 additions and 3 deletions
--- a/hutool-http/src/main/java/cn/hutool/http/HttpConnection.java
+++ b/hutool-http/src/main/java/cn/hutool/http/HttpConnection.java
@@ -276,7 +276,10 @@ public class HttpConnection {
 			// Https请求
 			final HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
 			// 验证域
-			httpsConn.setHostnameVerifier(ObjectUtil.defaultIfNull(hostnameVerifier, DefaultSSLInfo.TRUST_ANY_HOSTNAME_VERIFIER));
+			httpsConn.setHostnameVerifier(ObjectUtil.defaultIfNull(hostnameVerifier,
+				// CVE-2022-22885 https://github.com/dromara/hutool/issues/2042
+				// 增加全局变量可选是否不验证host
+				HttpGlobalConfig.isTrustAnyHost() ? DefaultSSLInfo.TRUST_ANY_HOSTNAME_VERIFIER : HttpsURLConnection.getDefaultHostnameVerifier()));
 			httpsConn.setSSLSocketFactory(ObjectUtil.defaultIfNull(ssf, DefaultSSLInfo.DEFAULT_SSF));
 		}

--- a/hutool-http/src/main/java/cn/hutool/http/HttpGlobalConfig.java
+++ b/hutool-http/src/main/java/cn/hutool/http/HttpGlobalConfig.java
@@ -33,6 +33,7 @@ public class HttpGlobalConfig implements Serializable {
 	private static int maxRedirectCount = 0;
 	private static boolean ignoreEOFError = true;
 	private static boolean decodeUrl = false;
+	private static boolean trustAnyHost = true;

 	/**
 	 * 获取全局默认的超时时长
@@ -199,7 +200,7 @@ public class HttpGlobalConfig implements Serializable {
 		// 去除final修饰
 		ReflectUtil.removeFinalModify(methodsField);
 		final String[] methods = {
-				"GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE", "TRACE", "PATCH"
+			"GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE", "TRACE", "PATCH"
 		};
 		ReflectUtil.setFieldValue(null, methodsField, methods);

@@ -211,4 +212,24 @@ public class HttpGlobalConfig implements Serializable {

 		isAllowPatch = true;
 	}
+
+	/**
+	 * 是否信任所有Host
+	 * @return 是否信任所有Host
+	 * @since 5.8.27
+	 */
+	public static boolean isTrustAnyHost(){
+		return trustAnyHost;
+	}
+
+	/**
+	 * 是否信任所有Host<br>
+	 * 见：https://github.com/dromara/hutool/issues/2042<br>
+	 *
+	 * @param customTrustAnyHost 如果设置为{@code false}，则按照JDK默认验证机制，验证目标服务器的证书host和请求host是否一致，{@code true}表示不验证。
+	 * @since 5.8.27
+	 */
+	public static void setTrustAnyHost(boolean customTrustAnyHost) {
+		trustAnyHost = customTrustAnyHost;
+	}
 }