【优化】修改密码交互优化，解决CSRF隐患。

doc/XXL-JOB官方文档.md

@@ -2370,7 +2370,7 @@ public void execute() {
 - 1、【升级】多个项目依赖升级至较新稳定版本，涉及netty、groovy、gson、springboot、mybatis等；
 - 2、【修复】"CVE-2024-42681" 子任务越权漏洞修复；
 - 3、【优化】Cron解析组件优化代码优化。
-- 3、[规划中]【优化】修改密码交互优化，提升系统安全；
+- 4、【优化】修改密码交互优化，解决CSRF隐患。
 
 
 

xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java

@@ -151,11 +151,14 @@ public class UserController {
 
     @RequestMapping("/updatePwd")
     @ResponseBody
-    public ReturnT<String> updatePwd(HttpServletRequest request, String password){
+    public ReturnT<String> updatePwd(HttpServletRequest request, String password, String oldPassword){
 
-        // valid password
+        // valid
+        if (oldPassword==null || oldPassword.trim().length()==0){
+            return new ReturnT<String>(ReturnT.FAIL.getCode(), I18nUtil.getString("system_please_input") + I18nUtil.getString("change_pwd_field_oldpwd"));
+        }
         if (password==null || password.trim().length()==0){
-            return new ReturnT<String>(ReturnT.FAIL.getCode(), "密码不可为空");
+            return new ReturnT<String>(ReturnT.FAIL.getCode(), I18nUtil.getString("system_please_input") + I18nUtil.getString("change_pwd_field_oldpwd"));
         }
         password = password.trim();
         if (!(password.length()>=4 && password.length()<=20)) {
@@ -163,13 +166,17 @@ public class UserController {
         }
 
         // md5 password
+        String md5OldPassword = DigestUtils.md5DigestAsHex(oldPassword.getBytes());
         String md5Password = DigestUtils.md5DigestAsHex(password.getBytes());
 
-        // update pwd
+        // valid old pwd
         XxlJobUser loginUser = PermissionInterceptor.getLoginUser(request);
-
-        // do write
         XxlJobUser existUser = xxlJobUserDao.loadByUserName(loginUser.getUsername());
+        if (!md5OldPassword.equals(existUser.getPassword())) {
+            return new ReturnT<String>(ReturnT.FAIL.getCode(), I18nUtil.getString("change_pwd_field_oldpwd") + I18nUtil.getString("system_unvalid"));
+        }
+
+        // write new
         existUser.setPassword(md5Password);
         xxlJobUserDao.update(existUser);
 

xxl-job-admin/src/main/resources/i18n/message_en.properties

@@ -91,6 +91,7 @@ logout_fail=Logout fail
 ## change pwd
 change_pwd=Change password
 change_pwd_suc_to_logout=Change password successful, about to log out login
+change_pwd_field_oldpwd=old password
 change_pwd_field_newpwd=new password
 
 ## dashboard

xxl-job-admin/src/main/resources/i18n/message_zh_CN.properties

@@ -91,6 +91,7 @@ logout_fail=注销失败
 ## change pwd
 change_pwd=修改密码
 change_pwd_suc_to_logout=修改密码成功，即将注销登陆
+change_pwd_field_oldpwd=旧密码
 change_pwd_field_newpwd=新密码
 
 ## dashboard

xxl-job-admin/src/main/resources/i18n/message_zh_TC.properties

@@ -91,6 +91,7 @@ logout_fail=登出失敗
 ## change pwd
 change_pwd=修改密碼
 change_pwd_suc_to_logout=修改密碼成功，即將登出
+change_pwd_field_oldpwd=舊密碼
 change_pwd_field_newpwd=新密碼
 
 ## dashboard

xxl-job-admin/src/main/resources/static/js/common.1.js

@@ -99,15 +99,23 @@ $(function(){
         errorClass : 'help-block',
         focusInvalid : true,
         rules : {
+            oldPassword : {
+                required : true ,
+                rangelength:[4,20]
+            },
             password : {
                 required : true ,
-                rangelength:[4,50]
+                rangelength:[4,20]
             }
         },
         messages : {
+            oldPassword : {
+                required : I18n.system_please_input +I18n.change_pwd_field_oldpwd,
+                rangelength : "密码长度限制为4~20"
+            },
             password : {
-                required : '请输入密码'  ,
-                rangelength : "密码长度限制为4~50"
+                required : I18n.system_please_input +I18n.change_pwd_field_newpwd,
+                rangelength : "密码长度限制为4~20"
             }
         },
         highlight : function(element) {

xxl-job-admin/src/main/resources/templates/common/common.macro.ftl

@@ -107,9 +107,13 @@
 				</div>
 				<div class="modal-body">
 					<form class="form-horizontal form" role="form" >
+						<div class="form-group">
+							<label for="lastname" class="col-sm-2 control-label">${I18n.change_pwd_field_oldpwd}<font color="red">*</font></label>
+							<div class="col-sm-10"><input type="text" class="form-control" name="oldPassword" placeholder="${I18n.system_please_input} ${I18n.change_pwd_field_oldpwd}" maxlength="20" ></div>
+						</div>
 						<div class="form-group">
 							<label for="lastname" class="col-sm-2 control-label">${I18n.change_pwd_field_newpwd}<font color="red">*</font></label>
-							<div class="col-sm-10"><input type="text" class="form-control" name="password" placeholder="${I18n.system_please_input} ${I18n.change_pwd_field_newpwd}" maxlength="18" ></div>
+							<div class="col-sm-10"><input type="text" class="form-control" name="password" placeholder="${I18n.system_please_input} ${I18n.change_pwd_field_newpwd}" maxlength="20" ></div>
 						</div>
 						<hr>
 						<div class="form-group">