diff --git a/CHANGELOG.md b/CHANGELOG.md
index d23b3fbc7..2a9144c4e 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
# 🚀Changelog
-------------------------------------------------------------------------------------------------------------
-# 5.8.27(2024-03-11)
+# 5.8.27(2024-03-12)
### 🐣新特性
* 【extra 】 FreemarkerEngine修改默认版本参数
@@ -14,6 +14,7 @@
### 🐞Bug修复
* 【core 】 修复PathMover对目标已存在且只读文件报错错误问题(issue#I95CLT@Gitee)
* 【json 】 修复JSONUtil序列化和反序列化预期的结果不一致问题(pr#3507@Github)
+* 【http 】 修复CVE-2022-22885,HttpGlobalConfig可选关闭信任host(issue#2042@Github)
-------------------------------------------------------------------------------------------------------------
# 5.8.26(2024-02-10)
diff --git a/hutool-http/src/main/java/cn/hutool/http/HttpConnection.java b/hutool-http/src/main/java/cn/hutool/http/HttpConnection.java
index 024ca8530..08744f359 100644
--- a/hutool-http/src/main/java/cn/hutool/http/HttpConnection.java
+++ b/hutool-http/src/main/java/cn/hutool/http/HttpConnection.java
@@ -276,7 +276,10 @@ public class HttpConnection {
// Https请求
final HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
// 验证域
- httpsConn.setHostnameVerifier(ObjectUtil.defaultIfNull(hostnameVerifier, DefaultSSLInfo.TRUST_ANY_HOSTNAME_VERIFIER));
+ httpsConn.setHostnameVerifier(ObjectUtil.defaultIfNull(hostnameVerifier,
+ // CVE-2022-22885 https://github.com/dromara/hutool/issues/2042
+ // 增加全局变量可选是否不验证host
+ HttpGlobalConfig.isTrustAnyHost() ? DefaultSSLInfo.TRUST_ANY_HOSTNAME_VERIFIER : HttpsURLConnection.getDefaultHostnameVerifier()));
httpsConn.setSSLSocketFactory(ObjectUtil.defaultIfNull(ssf, DefaultSSLInfo.DEFAULT_SSF));
}
diff --git a/hutool-http/src/main/java/cn/hutool/http/HttpGlobalConfig.java b/hutool-http/src/main/java/cn/hutool/http/HttpGlobalConfig.java
index 75e7b71a1..75ccd4830 100755
--- a/hutool-http/src/main/java/cn/hutool/http/HttpGlobalConfig.java
+++ b/hutool-http/src/main/java/cn/hutool/http/HttpGlobalConfig.java
@@ -33,6 +33,7 @@ public class HttpGlobalConfig implements Serializable {
private static int maxRedirectCount = 0;
private static boolean ignoreEOFError = true;
private static boolean decodeUrl = false;
+ private static boolean trustAnyHost = true;
/**
* 获取全局默认的超时时长
@@ -199,7 +200,7 @@ public class HttpGlobalConfig implements Serializable {
// 去除final修饰
ReflectUtil.removeFinalModify(methodsField);
final String[] methods = {
- "GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE", "TRACE", "PATCH"
+ "GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE", "TRACE", "PATCH"
};
ReflectUtil.setFieldValue(null, methodsField, methods);
@@ -211,4 +212,24 @@ public class HttpGlobalConfig implements Serializable {
isAllowPatch = true;
}
+
+ /**
+ * 是否信任所有Host
+ * @return 是否信任所有Host
+ * @since 5.8.27
+ */
+ public static boolean isTrustAnyHost(){
+ return trustAnyHost;
+ }
+
+ /**
+ * 是否信任所有Host
+ * 见:https://github.com/dromara/hutool/issues/2042
+ *
+ * @param customTrustAnyHost 如果设置为{@code false},则按照JDK默认验证机制,验证目标服务器的证书host和请求host是否一致,{@code true}表示不验证。
+ * @since 5.8.27
+ */
+ public static void setTrustAnyHost(boolean customTrustAnyHost) {
+ trustAnyHost = customTrustAnyHost;
+ }
}