Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-682

fix the potential threat when use "uri = uri + '/' " to bypassed shiro protect

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Resolved
    • 1.3.2
    • 1.5.0
    • Web

    Description

      hi, the potential threat found when use shiro filter.
      in spring web, the requestURI : /resource/menus and resource/menus/ both can access the resource,
      but the pathPattern match /resource/menus can not match resource/menus/
      user can use requestURI + "/" to simply bypassed chain filter, to bypassed shiro protect

      [PR #127|https://github.com/apache/shiro/pull/127]

      Attachments

        Issue Links

          is related to

          Sub-task - The sub-task of the issue KNOX-2221 Upgrade shiro to 1.5.3

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #127

          Web Link GitHub Pull Request #181

          Activity

            People

              fpapon Francois Papon
              tomsun28 tomsun28
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 4h 40m
                  4h 40m