You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by ka...@apache.org on 2011/02/10 19:50:19 UTC
svn commit: r1069525 -
/shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/mgt/PathMatchingFilterChainResolverTest.java
Author: kaosko
Date: Thu Feb 10 18:50:19 2011
New Revision: 1069525
URL: http://svn.apache.org/viewvc?rev=1069525&view=rev
Log:
Added tests for path traversal prevention, had implemented them way before but apparently never committed
Modified:
shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/mgt/PathMatchingFilterChainResolverTest.java
Modified: shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/mgt/PathMatchingFilterChainResolverTest.java
URL: http://svn.apache.org/viewvc/shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/mgt/PathMatchingFilterChainResolverTest.java?rev=1069525&r1=1069524&r2=1069525&view=diff
==============================================================================
--- shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/mgt/PathMatchingFilterChainResolverTest.java (original)
+++ shiro/trunk/web/src/test/java/org/apache/shiro/web/filter/mgt/PathMatchingFilterChainResolverTest.java Thu Feb 10 18:50:19 2011
@@ -106,6 +106,44 @@ public class PathMatchingFilterChainReso
assertNotNull(resolved);
verify(request);
}
+
+ @Test
+ public void testPathTraversalWithDot() {
+ HttpServletRequest request = createNiceMock(HttpServletRequest.class);
+ HttpServletResponse response = createNiceMock(HttpServletResponse.class);
+ FilterChain chain = createNiceMock(FilterChain.class);
+
+ //ensure at least one chain is defined:
+ resolver.getFilterChainManager().addToChain("/index.html", "authcBasic");
+
+ expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null).anyTimes();
+ expect(request.getContextPath()).andReturn("");
+ expect(request.getRequestURI()).andReturn("/./index.html");
+ replay(request);
+
+ FilterChain resolved = resolver.getChain(request, response, chain);
+ assertNotNull(resolved);
+ verify(request);
+ }
+
+ @Test
+ public void testPathTraversalWithDotDot() {
+ HttpServletRequest request = createNiceMock(HttpServletRequest.class);
+ HttpServletResponse response = createNiceMock(HttpServletResponse.class);
+ FilterChain chain = createNiceMock(FilterChain.class);
+
+ //ensure at least one chain is defined:
+ resolver.getFilterChainManager().addToChain("/index.html", "authcBasic");
+
+ expect(request.getAttribute(WebUtils.INCLUDE_CONTEXT_PATH_ATTRIBUTE)).andReturn(null).anyTimes();
+ expect(request.getContextPath()).andReturn("");
+ expect(request.getRequestURI()).andReturn("/public/../index.html");
+ replay(request);
+
+ FilterChain resolved = resolver.getChain(request, response, chain);
+ assertNotNull(resolved);
+ verify(request);
+ }
@Test
public void testGetChainsWithoutMatch() {