Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-682

fix the potential threat when use "uri = uri + '/' " to bypassed shiro protect

Attach filesAttach ScreenshotVotersWatch issueWatchersLinkUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Resolved
    • 1.3.2
    • 1.5.0
    • Web

    Description

      hi, the potential threat found when use shiro filter.
      in spring web, the requestURI : /resource/menus and resource/menus/ both can access the resource,
      but the pathPattern match /resource/menus can not match resource/menus/
      user can use requestURI + "/" to simply bypassed chain filter, to bypassed shiro protect

      [PR #127|https://github.com/apache/shiro/pull/127]

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            fpapon Francois Papon
            tomsun28 tomsun28
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4h 40m
                4h 40m

                Slack

                  Issue deployment