You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by fp...@apache.org on 2020/05/05 15:04:22 UTC
[shiro] branch 1.5.x updated: [SHIRO-766] ignore exception on
invalid cookies.
This is an automated email from the ASF dual-hosted git repository.
fpapon pushed a commit to branch 1.5.x
in repository https://gitbox.apache.org/repos/asf/shiro.git
The following commit(s) were added to refs/heads/1.5.x by this push:
new fdddd7c [SHIRO-766] ignore exception on invalid cookies.
new 83d8dac Merge pull request #223 from bmhm/SHIRO-766
fdddd7c is described below
commit fdddd7cb982d9be69ea6b74bbe183fa47a22e5ee
Author: Benjamin Marwell <bm...@gmail.com>
AuthorDate: Tue May 5 16:20:22 2020 +0200
[SHIRO-766] ignore exception on invalid cookies.
---
.../shiro/web/mgt/CookieRememberMeManager.java | 16 +++++++++++--
.../shiro/web/mgt/CookieRememberMeManagerTest.java | 28 ++++++++++++++++++++++
2 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/web/src/main/java/org/apache/shiro/web/mgt/CookieRememberMeManager.java b/web/src/main/java/org/apache/shiro/web/mgt/CookieRememberMeManager.java
index 0c777ac..798bf40 100644
--- a/web/src/main/java/org/apache/shiro/web/mgt/CookieRememberMeManager.java
+++ b/web/src/main/java/org/apache/shiro/web/mgt/CookieRememberMeManager.java
@@ -212,9 +212,21 @@ public class CookieRememberMeManager extends AbstractRememberMeManager {
if (log.isTraceEnabled()) {
log.trace("Acquired Base64 encoded identity [" + base64 + "]");
}
- byte[] decoded = Base64.decode(base64);
+ byte[] decoded;
+ try {
+ decoded = Base64.decode(base64);
+ } catch (RuntimeException rtEx) {
+ /*
+ * https://issues.apache.org/jira/browse/SHIRO-766:
+ * If the base64 string cannot be decoded, just assume there is no valid cookie value.
+ * */
+ getCookie().removeFrom(request, response);
+ log.warn("Unable to decode existing base64 encoded entity: [" + base64 + "].", rtEx);
+ return null;
+ }
+
if (log.isTraceEnabled()) {
- log.trace("Base64 decoded byte array length: " + (decoded != null ? decoded.length : 0) + " bytes.");
+ log.trace("Base64 decoded byte array length: " + decoded.length + " bytes.");
}
return decoded;
} else {
diff --git a/web/src/test/java/org/apache/shiro/web/mgt/CookieRememberMeManagerTest.java b/web/src/test/java/org/apache/shiro/web/mgt/CookieRememberMeManagerTest.java
index c4d0963..37b7760 100644
--- a/web/src/test/java/org/apache/shiro/web/mgt/CookieRememberMeManagerTest.java
+++ b/web/src/test/java/org/apache/shiro/web/mgt/CookieRememberMeManagerTest.java
@@ -35,6 +35,8 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import java.util.UUID;
+
import static org.easymock.EasyMock.*;
import static org.junit.Assert.*;
@@ -244,4 +246,30 @@ public class CookieRememberMeManagerTest {
verify(mockResponse);
verify(cookie);
}
+
+ @Test
+ public void shouldIgnoreInvalidCookieValues() {
+ // given
+ HttpServletRequest mockRequest = createMock(HttpServletRequest.class);
+ HttpServletResponse mockResponse = createMock(HttpServletResponse.class);
+ WebSubjectContext context = new DefaultWebSubjectContext();
+ context.setServletRequest(mockRequest);
+ context.setServletResponse(mockResponse);
+
+ CookieRememberMeManager mgr = new CookieRememberMeManager();
+ Cookie[] cookies = new Cookie[]{
+ new Cookie(CookieRememberMeManager.DEFAULT_REMEMBER_ME_COOKIE_NAME, UUID.randomUUID().toString() + "%%ldapRealm")
+ };
+
+ expect(mockRequest.getAttribute(ShiroHttpServletRequest.IDENTITY_REMOVED_KEY)).andReturn(null);
+ expect(mockRequest.getContextPath()).andReturn(null);
+ expect(mockRequest.getCookies()).andReturn(cookies);
+ replay(mockRequest);
+
+ // when
+ final byte[] rememberedSerializedIdentity = mgr.getRememberedSerializedIdentity(context);
+
+ // then
+ assertNull("should ignore invalid cookie values", rememberedSerializedIdentity);
+ }
}