[SHIRO-753] Regression in URI parsing in Shiro 1.5.2 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Resolved
Affects Version/s: 1.5.2
Fix Version/s: 1.5.3
Component/s: Web
Labels:
None

Description

Hello everyone,

In Shiro 1.5.2, WebUtils.getRequestURI() no longer support paths with '%' character in it

In Shiro 1.5.1, when the path is "A%B" then the String URI retrieved from request.getRequestURI() returns "A%25B" which is properly decoded afterward by the decodeAndCleanUriString method.

In Shiro 1.5.2, when the path is "A%B" then the String URI reconstructed from context+path+pathInfo returns "A%B" (it's already decoded) which crashes when calling decodeAndCleanUriString

Caused by: java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - Error at index 1 in: "B/"
    at java.net.URLDecoder.decode(URLDecoder.java:232) ~[?:?]
    at java.net.URLDecoder.decode(URLDecoder.java:142) ~[?:?]
    at org.apache.shiro.web.util.WebUtils.decodeRequestString(WebUtils.java:357) ~[?:?]
    at org.apache.shiro.web.util.WebUtils.decodeAndCleanUriString(WebUtils.java:242) ~[?:?]
    at org.apache.shiro.web.util.WebUtils.getRequestUri(WebUtils.java:143) ~[?:?]
    at org.apache.shiro.web.util.WebUtils.getPathWithinApplication(WebUtils.java:113) ~[?:?]

Decoding twice the URI might produce other incorrect results.

Can you have a look? Thanks!

Attachments

Issue Links

links to

GitHub Pull Request #211

Activity

People

Assignee:: Unassigned

Reporter:: Antoine DESSAIGNE

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 07/Apr/20 09:41

Updated:: 24/Jun/20 15:13

Resolved:: 08/Apr/20 15:51

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

10m