You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by bd...@apache.org on 2016/07/07 16:06:54 UTC
shiro git commit: SHIRO-570: Only accept a cookie value when the
request uses the proper path.
Repository: shiro
Updated Branches:
refs/heads/master 206dae99f -> 48980e1e2
SHIRO-570: Only accept a cookie value when the request uses the proper path.
Fixes #23, SHIRO-570
Project: http://git-wip-us.apache.org/repos/asf/shiro/repo
Commit: http://git-wip-us.apache.org/repos/asf/shiro/commit/48980e1e
Tree: http://git-wip-us.apache.org/repos/asf/shiro/tree/48980e1e
Diff: http://git-wip-us.apache.org/repos/asf/shiro/diff/48980e1e
Branch: refs/heads/master
Commit: 48980e1e27e9d4356fa6ebdcbf791856f80d43a7
Parents: 206dae9
Author: Andreas Kohn <an...@gmail.com>
Authored: Thu Mar 17 15:07:27 2016 +0100
Committer: Brian Demers <bd...@apache.org>
Committed: Thu Jul 7 12:00:12 2016 -0400
----------------------------------------------------------------------
.../apache/shiro/web/servlet/SimpleCookie.java | 28 +++++++++++++++--
.../shiro/web/servlet/SimpleCookieTest.java | 33 ++++++++++++++++++++
2 files changed, 59 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/shiro/blob/48980e1e/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
----------------------------------------------------------------------
diff --git a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
index 1f27e9b..c8d1420 100644
--- a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
+++ b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
@@ -329,6 +329,24 @@ public class SimpleCookie implements Cookie {
}
/**
+ * Check whether the given {@code cookiePath} matches the {@code requestPath}
+ *
+ * @param cookiePath
+ * @param requestPath
+ * @return
+ * @see <a href="https://tools.ietf.org/html/rfc6265#section-5.1.4">RFC 6265, Section 5.1.4 "Paths and Path-Match"</a>
+ */
+ private boolean pathMatches(String cookiePath, String requestPath) {
+ if (!requestPath.startsWith(cookiePath)) {
+ return false;
+ }
+
+ return requestPath.length() == cookiePath.length()
+ || cookiePath.charAt(cookiePath.length() - 1) == '/'
+ || requestPath.charAt(cookiePath.length()) == '/';
+ }
+
+ /**
* Formats a date into a cookie date compatible string (Netscape's specification).
*
* @param date the date to format
@@ -362,8 +380,14 @@ public class SimpleCookie implements Cookie {
String value = null;
javax.servlet.http.Cookie cookie = getCookie(request, name);
if (cookie != null) {
- value = cookie.getValue();
- log.debug("Found '{}' cookie value [{}]", name, value);
+ // Validate that the cookie is used at the correct place.
+ String path = StringUtils.clean(getPath());
+ if (path != null && !pathMatches(path, request.getRequestURI())) {
+ log.warn("Found '{}' cookie at path '{}', but should be only used for '{}'", new Object[] { name, request.getRequestURI(), path});
+ } else {
+ value = cookie.getValue();
+ log.debug("Found '{}' cookie value [{}]", name, value);
+ }
} else {
log.trace("No '{}' cookie value", name);
}
http://git-wip-us.apache.org/repos/asf/shiro/blob/48980e1e/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java
----------------------------------------------------------------------
diff --git a/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java b/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java
index 79d88e8..3a272aa 100644
--- a/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java
+++ b/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java
@@ -116,6 +116,39 @@ public class SimpleCookieTest extends TestCase {
testRootContextPath(null);
}
+ @Test
+ public void testReadValueInvalidPath() throws Exception {
+ expect(mockRequest.getRequestURI()).andStubReturn("/foo/index.jsp");
+ expect(mockRequest.getCookies()).andStubReturn(new javax.servlet.http.Cookie[] { new javax.servlet.http.Cookie(this.cookie.getName(), "value") });
+ replay(mockRequest);
+ replay(mockResponse);
+
+ this.cookie.setPath("/bar/index.jsp");
+ assertEquals(null, this.cookie.readValue(mockRequest, mockResponse));
+ }
+
+ @Test
+ public void testReadValuePrefixPath() throws Exception {
+ expect(mockRequest.getRequestURI()).andStubReturn("/bar/index.jsp");
+ expect(mockRequest.getCookies()).andStubReturn(new javax.servlet.http.Cookie[] { new javax.servlet.http.Cookie(this.cookie.getName(), "value") });
+ replay(mockRequest);
+ replay(mockResponse);
+
+ this.cookie.setPath("/bar");
+ assertEquals("value", this.cookie.readValue(mockRequest, mockResponse));
+ }
+
+ @Test
+ public void testReadValueInvalidPrefixPath() throws Exception {
+ expect(mockRequest.getRequestURI()).andStubReturn("/foobar/index.jsp");
+ expect(mockRequest.getCookies()).andStubReturn(new javax.servlet.http.Cookie[] { new javax.servlet.http.Cookie(this.cookie.getName(), "value") });
+ replay(mockRequest);
+ replay(mockResponse);
+
+ this.cookie.setPath("/foo");
+ assertEquals(null, this.cookie.readValue(mockRequest, mockResponse));
+ }
+
private static <T extends javax.servlet.http.Cookie> T eqCookie(final T in) {
reportMatcher(new IArgumentMatcher() {
public boolean matches(Object o) {