Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-582

NullPointerException in AntPathMatcher

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.3.0
    • None
    • Authorization (access control)
    • None

    Description

      WebUtils.getRequestUri uses the normalize method to canonicalize the request URI. During an automated pentest, we found that a request to the following URL will cause a NPE:

      curl --path-as-is "http://127.0.0.1/\../\../\../\../\../\../Server4/admin-serv/config/adm.conf"

      The request will cause the path parameter of the `doMatch`method in org.apache.shiro.util.AntPathMatcher to be null. Executing the line

      {{ if (path.startsWith(this.pathSeparator) != pattern.startsWith(this.pathSeparator)) }} will throw the NPE.

      This could be handled by adjusting the normalize method or null checking the path in the doMatch method.

      Stacktrace

      java.lang.NullPointerException
      at org.apache.shiro.util.AntPathMatcher.doMatch(AntPathMatcher.java:109)
      at org.apache.shiro.util.AntPathMatcher.match(AntPathMatcher.java:90)
      at org.apache.shiro.util.AntPathMatcher.matches(AntPathMatcher.java:86)
      at org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver.pathMatches(PathMatchingFilterChainResolver.java:135)
      at org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver.getChain(PathMatchingFilterChainResolver.java:106)
      at org.apache.shiro.web.servlet.AbstractShiroFilter.getExecutionChain(AbstractShiroFilter.java:415)
      at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:448)

      Attachments

        Activity

          People

            Unassigned Unassigned
            chris2m Christian Thum
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: