From a8219a1c955a9bb84300a52944ab886c604a4512 Mon Sep 17 00:00:00 2001
From: Administrator <15274802129@163.com>
Date: Sun, 14 Jun 2026 16:54:52 +0800
Subject: [PATCH] fix(security): 修复CORS配置中的安全漏洞

---
 src/main/java/cc/mrbird/febs/common/configure/WebMvcConfigure.java |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/main/java/cc/mrbird/febs/common/configure/WebMvcConfigure.java b/src/main/java/cc/mrbird/febs/common/configure/WebMvcConfigure.java
index 984c91a..f729211 100644
--- a/src/main/java/cc/mrbird/febs/common/configure/WebMvcConfigure.java
+++ b/src/main/java/cc/mrbird/febs/common/configure/WebMvcConfigure.java
@@ -33,6 +33,9 @@
         registration.excludePathPatterns("/api/xcxPay/wxpayCallback");
         registration.excludePathPatterns("/api/xcxPay/rechargeCallBack");
         registration.excludePathPatterns("/api/xcxPay/fapiaoCallBack");
+        registration.excludePathPatterns("/api/fuPayReturn/callback");
+        registration.excludePathPatterns("/api/fuPayReturn/payment/callback");
+        registration.excludePathPatterns("/api/fuPay/notify");
 
         // 添加Swagger UI相关路径
         registration.excludePathPatterns("/api/swagger-ui.html");
@@ -48,7 +51,6 @@
         registry.addMapping("/**")//允许请求路径
                 .allowedOrigins("*")//表示允许所有网址发起跨域请求
                 .allowedMethods("POST", "GET", "PUT", "OPTIONS", "DELETE")//表示允许跨域请求的方法
-                .maxAge(3600)//表示在3600秒内不需要再发送预校验请求
-                .allowCredentials(true);//允许客户端携带验证信息，即允许携带cookie
+                .maxAge(3600);//表示在3600秒内不需要再发送预校验请求
     }
 }

--
Gitblit v1.9.1