You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shiro.apache.org by "Ronald Feicht (Jira)" <ji...@apache.org> on 2023/05/04 10:27:00 UTC
[jira] [Updated] (SHIRO-906) URIs like "/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf" are blocked
[ https://issues.apache.org/jira/browse/SHIRO-906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ronald Feicht updated SHIRO-906:
--------------------------------
Description:
When a user uploads a PDF document to this URI:
[https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]
which is the url-encoded form of
"[https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbestätigung 18103101.pdf|https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]"
an HTTP 400 response is generated by Shiro with this as the body:
{color:#383838}<{color}{color:#800000}html{color}{color:#383838}>{color}
{color:#383838}<{color}{color:#800000}head{color}{color:#383838}>{color}
{color:#000000} {color}{color:#383838}<{color}{color:#800000}title{color}{color:#383838}>{color}{color:#000000}Error{color}{color:#383838}</{color}{color:#800000}title{color}{color:#383838}>{color}
{color:#383838}</{color}{color:#800000}head{color}{color:#383838}>{color}
{color:#383838}<{color}{color:#800000}body{color}{color:#383838}>{color}{color:#000000}Invalid request{color}{color:#383838}</{color}{color:#800000}body{color}{color:#383838}>{color}
{color:#383838}</{color}{color:#800000}html{color}{color:#383838}>{color}
{color:#383838}With Shiro version 1.6.0 the upload worked. {color}{color:#383838}Digging through Shiro's code I found {color}
{color:#383838}org.apache.shiro.web.filter.InvalidRequestFilter line 67:{color}
{color:#383838}return !StringUtils.hasText(uri){color}
{color:#383838}which means that an URI which is null or has zero length or consists only of whitespace should be considered a valid URI. I am pretty sure this is not what the author intended and that the "!" just needs to be removed to fix this bug.{color}
was:
When a user uploads a PDF document to this URI;
[https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]
which is the url-encoded form of
"[https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbestätigung 18103101.pdf|https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]"
an HTTP 400 response is generated by Shiro with this as the body:
{color:#383838}<{color}{color:#800000}html{color}{color:#383838}>{color}
{color:#383838}<{color}{color:#800000}head{color}{color:#383838}>{color}
{color:#000000} {color}{color:#383838}<{color}{color:#800000}title{color}{color:#383838}>{color}{color:#000000}Error{color}{color:#383838}</{color}{color:#800000}title{color}{color:#383838}>{color}
{color:#383838}</{color}{color:#800000}head{color}{color:#383838}>{color}
{color:#383838}<{color}{color:#800000}body{color}{color:#383838}>{color}{color:#000000}Invalid request{color}{color:#383838}</{color}{color:#800000}body{color}{color:#383838}>{color}
{color:#383838}</{color}{color:#800000}html{color}{color:#383838}>{color}
{color:#383838}With Shiro version 1.6.0 the upload worked. {color}{color:#383838}Digging through Shiro's code I found {color}
{color:#383838}org.apache.shiro.web.filter.InvalidRequestFilter line 67:
{color}
{color:#383838}return !StringUtils.hasText(uri){color}
{color:#383838}which means that an URI which is null or has zero length or consists only of whitespace should be considered a valid URI. I am pretty sure this is not what the author intended and that the "!" just needs to be removed to fix this bug.{color}
> URIs like "/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf" are blocked
> -----------------------------------------------------------------------------------------------------------
>
> Key: SHIRO-906
> URL: https://issues.apache.org/jira/browse/SHIRO-906
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Affects Versions: 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0, 1.11.1
> Reporter: Ronald Feicht
> Priority: Major
>
> When a user uploads a PDF document to this URI:
> [https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]
> which is the url-encoded form of
> "[https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbestätigung 18103101.pdf|https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]"
> an HTTP 400 response is generated by Shiro with this as the body:
> {color:#383838}<{color}{color:#800000}html{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#000000} {color}{color:#383838}<{color}{color:#800000}title{color}{color:#383838}>{color}{color:#000000}Error{color}{color:#383838}</{color}{color:#800000}title{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}body{color}{color:#383838}>{color}{color:#000000}Invalid request{color}{color:#383838}</{color}{color:#800000}body{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}html{color}{color:#383838}>{color}
>
> {color:#383838}With Shiro version 1.6.0 the upload worked. {color}{color:#383838}Digging through Shiro's code I found {color}
> {color:#383838}org.apache.shiro.web.filter.InvalidRequestFilter line 67:{color}
> {color:#383838}return !StringUtils.hasText(uri){color}
> {color:#383838}which means that an URI which is null or has zero length or consists only of whitespace should be considered a valid URI. I am pretty sure this is not what the author intended and that the "!" just needs to be removed to fix this bug.{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@shiro.apache.org
For additional commands, e-mail: issues-help@shiro.apache.org