You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Sourabh Sarvotham Parkala (Jira)" <ji...@apache.org> on 2020/06/24 14:54:00 UTC

[jira] [Commented] (SHIRO-753) Regression in URI parsing in Shiro 1.5.2

    [ https://issues.apache.org/jira/browse/SHIRO-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17143891#comment-17143891 ] 

Sourabh Sarvotham Parkala commented on SHIRO-753:
-------------------------------------------------

This fix re-introduced CVE-2020-1957. As this fix was reverted [https://github.com/apache/shiro/commit/b90f91875e5e18c4805013c2fa0567b1700f5a96#diff-98f7bc5c0391389e56531f8b3754081aR132].

 

Could you please let me know what is the next step to address this?

> Regression in URI parsing in Shiro 1.5.2
> ----------------------------------------
>
>                 Key: SHIRO-753
>                 URL: https://issues.apache.org/jira/browse/SHIRO-753
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.5.2
>            Reporter: Antoine DESSAIGNE
>            Priority: Critical
>             Fix For: 1.5.3
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Hello everyone,
> In Shiro 1.5.2, {{WebUtils.getRequestURI()}} no longer support paths with '%' character in it
> In Shiro 1.5.1, when the path is "A%B" then the String URI retrieved from {{request.getRequestURI()}} returns "A%25B" which is properly decoded afterward by the {{decodeAndCleanUriString}} method.
> In Shiro 1.5.2, when the path is "A%B" then the String URI reconstructed from context+path+pathInfo returns "A%B" (it's already decoded) which crashes when calling {{decodeAndCleanUriString}}
> {noformat}
> Caused by: java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - Error at index 1 in: "B/"
>     at java.net.URLDecoder.decode(URLDecoder.java:232) ~[?:?]
>     at java.net.URLDecoder.decode(URLDecoder.java:142) ~[?:?]
>     at org.apache.shiro.web.util.WebUtils.decodeRequestString(WebUtils.java:357) ~[?:?]
>     at org.apache.shiro.web.util.WebUtils.decodeAndCleanUriString(WebUtils.java:242) ~[?:?]
>     at org.apache.shiro.web.util.WebUtils.getRequestUri(WebUtils.java:143) ~[?:?]
>     at org.apache.shiro.web.util.WebUtils.getPathWithinApplication(WebUtils.java:113) ~[?:?]
> {noformat}
> Decoding twice the URI might produce other incorrect results.
> Can you have a look? Thanks!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)