Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-682

fix the potential threat when use "uri = uri + '/' " to bypassed shiro protect

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Resolved
    • Affects Version/s: 1.3.2
    • Fix Version/s: 1.5.0
    • Component/s: Web
    • Labels:

      Description

      hi, the potential threat found when use shiro filter.
      in spring web, the requestURI : /resource/menus and resource/menus/ both can access the resource,
      but the pathPattern match /resource/menus can not match resource/menus/
      user can use requestURI + "/" to simply bypassed chain filter, to bypassed shiro protect

      [PR #127|https://github.com/apache/shiro/pull/127]

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                fpapon Francois Papon
                Reporter:
                tomsun28 tomsun28
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 4h 40m
                  4h 40m