You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Brian Demers (Jira)" <ji...@apache.org> on 2020/11/20 15:56:00 UTC
[jira] [Comment Edited] (SHIRO-801) Shiro blocks requests with
non-ACII characters in the URL path
[ https://issues.apache.org/jira/browse/SHIRO-801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236254#comment-17236254 ]
Brian Demers edited comment on SHIRO-801 at 11/20/20, 3:55 PM:
---------------------------------------------------------------
There are a few unicode based attacks, [https://owasp.org/www-community/attacks/Unicode_Encoding]
That doesn't mean that your application is susceptible to them (but that is specific to your application), to revert to the previous behavior, you can set
{{invalidRequest.blockNonAscii = false}}
See: [https://shiro.apache.org/web.html#global-filters]
was (Author: bdemers):
There are a few unicode based attacks, [https://owasp.org/www-community/attacks/Unicode_Encoding]
That doesn't mean that your application is susceptible to them, to revert the previous behavior, you can set
{{invalidRequest.blockNonAscii = false}}
See: https://shiro.apache.org/web.html#global-filters
> Shiro blocks requests with non-ACII characters in the URL path
> --------------------------------------------------------------
>
> Key: SHIRO-801
> URL: https://issues.apache.org/jira/browse/SHIRO-801
> Project: Shiro
> Issue Type: Bug
> Affects Versions: 1.7.0
> Reporter: Tuure Laurinolli
> Priority: Major
>
> When trying to upgrade to Shiro 1.7.0 we noticed that some of our tests started failing. The tests validate that scandinavian characters (äöå) can be used in object ids in our system.
> It appears that SHIRO-794 changed URL validation so that scandinavian characters are no longer allowed in the decoded path component of the URL. The relevant code change is [https://github.com/apache/shiro/commit/a28300448ae6c4bb78a8ba626b0cacb00f82d5f8#diff-bd4bf9dfa4cc7521c708850ac5d397fee22b021ea09a3a91f7ce1587abc287d7|https://github.com/apache/shiro/commit/a28300448ae6c4bb78a8ba626b0cacb00f82d5f8#diff-bd4bf9dfa4cc7521c708850ac5d397fee22b021ea09a3a91f7ce1587abc287d7.]
> Is there some reason to not allow non-ASCII characters in the URL path?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)