You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Francois Papon (Jira)" <ji...@apache.org> on 2019/11/20 14:03:00 UTC

[jira] [Comment Edited] (SHIRO-682) fix the potential threat when use "uri = uri + '/' " to bypassed shiro protect

    [ https://issues.apache.org/jira/browse/SHIRO-682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16978446#comment-16978446 ] 

Francois Papon edited comment on SHIRO-682 at 11/20/19 2:02 PM:
----------------------------------------------------------------

Merged and included in the next 1.5.0 release.


was (Author: fpapon):
Merge and included in the next 1.5.0 release.

> fix the potential threat when use "uri = uri + '/' " to bypassed shiro protect
> ------------------------------------------------------------------------------
>
>                 Key: SHIRO-682
>                 URL: https://issues.apache.org/jira/browse/SHIRO-682
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.3.2
>            Reporter: tomsun28
>            Assignee: Francois Papon
>            Priority: Major
>              Labels: security
>             Fix For: 1.5.0
>
>          Time Spent: 4h 10m
>  Remaining Estimate: 0h
>
> hi, the potential threat found when use shiro filter.
>  in spring web, the {{requestURI :}} {{/resource/menus}} and {{resource/menus/}} both can access the resource,
>  but the {{pathPattern}} match {{/resource/menus}} can not match {{resource/menus/}}
>  user can use {{requestURI}} + {{"/"}} to simply bypassed chain filter, to bypassed shiro protect
> [PR #127|[https://github.com/apache/shiro/pull/127]]
> :)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)