package com.apache.security.filter;

import com.apache.security.SecurityFilter;
import com.apache.tools.StrUtil;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Enumeration;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/apache/security/filter/SqlCookieFilter.class */
public class SqlCookieFilter implements SecurityFilter {
    private Logger log = Logger.getLogger(SqlCookieFilter.class);
    private String[] inj_str = {"select ", "(select", "insert ", "drop ", "union ", "delete ", "update ", "+and+", " and ", "+or+", " or ", "'='", "<script", "confirm(", "prompt(", "eval(", "function(", "alert(", ":alert", "ltrim(", "[window[", "<iframe", "<a href", "<input ", "<img", "<audio", "onerror\\=", "ltrim(", "{tostring:", "</script", "</style", "href="};
    private Pattern p;
    private Matcher m;
    private String errorPage;

    @Override // com.apache.security.SecurityFilter
    public int doFilterInvoke(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        if (!checkSecurity(httpServletRequest)) {
            return 1;
        }
        httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/" + this.errorPage);
        return 0;
    }

    @Override // com.apache.security.SecurityFilter
    public void setErrorPage(String str) {
        this.errorPage = str;
    }

    protected void sendErrorPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            if ("XMLHttpRequest".equals(httpServletRequest.getHeader("X-Requested-With"))) {
                httpServletResponse.setContentType("text/html;charset=utf-8");
                PrintWriter writer = httpServletResponse.getWriter();
                writer.write("{\"flag\":\"F\",\"msg\":\"非法请求\"}");
                writer.flush();
                writer.close();
            } else {
                httpServletRequest.setAttribute("errors", "非法请求");
                httpServletRequest.getRequestDispatcher("/common/error.jsp").forward(httpServletRequest, httpServletResponse);
            }
        } catch (Exception e) {
        }
    }

    protected boolean checkSecurity(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        if (requestURI.toLowerCase().contains("/owa_util.signature") || requestURI.toLowerCase().contains("/sqlnet.trc")) {
            this.log.warn("非法请求参数=" + requestURI);
            return true;
        }
        if (StrUtil.isNotNull(httpServletRequest.getParameter("formToken"))) {
            return false;
        }
        String queryString = httpServletRequest.getQueryString();
        if (StrUtil.isNull(queryString)) {
            Enumeration parameterNames = httpServletRequest.getParameterNames();
            while (parameterNames.hasMoreElements()) {
                for (String str : httpServletRequest.getParameterValues((String) parameterNames.nextElement())) {
                    queryString = queryString + str;
                }
            }
        }
        if (StrUtil.isNull(queryString)) {
            return false;
        }
        String replace = queryString.toLowerCase().replace("%28", "(").replace("%2b", "+").replace("%3c", "<").replace("%27", "'").replace("%5b", "[").replace("%5d", "]").replace("%3d", "=").replace("%7c", "|").replace("%7b", "{").replace("%3a", ":").replace("%2f", "/");
        for (int i = 0; i < this.inj_str.length; i++) {
            if (replace.indexOf(this.inj_str[i]) >= 0) {
                this.log.warn("非法请求参数=" + replace);
                return true;
            }
        }
        return isEqualString(queryString);
    }

    private boolean isEqualString(String str) {
        this.p = Pattern.compile("(<[a-zA-Z].*?>)|(<[\\/][a-zA-Z].*?>)");
        this.m = this.p.matcher(str);
        return this.m.matches();
    }
}
