You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Sourabh Sarvotham Parkala (Jira)" <ji...@apache.org> on 2020/06/24 14:54:00 UTC
[jira] [Commented] (SHIRO-753) Regression in URI parsing in Shiro
1.5.2
[ https://issues.apache.org/jira/browse/SHIRO-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17143891#comment-17143891 ]
Sourabh Sarvotham Parkala commented on SHIRO-753:
-------------------------------------------------
This fix re-introduced CVE-2020-1957. As this fix was reverted [https://github.com/apache/shiro/commit/b90f91875e5e18c4805013c2fa0567b1700f5a96#diff-98f7bc5c0391389e56531f8b3754081aR132].
Could you please let me know what is the next step to address this?
> Regression in URI parsing in Shiro 1.5.2
> ----------------------------------------
>
> Key: SHIRO-753
> URL: https://issues.apache.org/jira/browse/SHIRO-753
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Affects Versions: 1.5.2
> Reporter: Antoine DESSAIGNE
> Priority: Critical
> Fix For: 1.5.3
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Hello everyone,
> In Shiro 1.5.2, {{WebUtils.getRequestURI()}} no longer support paths with '%' character in it
> In Shiro 1.5.1, when the path is "A%B" then the String URI retrieved from {{request.getRequestURI()}} returns "A%25B" which is properly decoded afterward by the {{decodeAndCleanUriString}} method.
> In Shiro 1.5.2, when the path is "A%B" then the String URI reconstructed from context+path+pathInfo returns "A%B" (it's already decoded) which crashes when calling {{decodeAndCleanUriString}}
> {noformat}
> Caused by: java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - Error at index 1 in: "B/"
> at java.net.URLDecoder.decode(URLDecoder.java:232) ~[?:?]
> at java.net.URLDecoder.decode(URLDecoder.java:142) ~[?:?]
> at org.apache.shiro.web.util.WebUtils.decodeRequestString(WebUtils.java:357) ~[?:?]
> at org.apache.shiro.web.util.WebUtils.decodeAndCleanUriString(WebUtils.java:242) ~[?:?]
> at org.apache.shiro.web.util.WebUtils.getRequestUri(WebUtils.java:143) ~[?:?]
> at org.apache.shiro.web.util.WebUtils.getPathWithinApplication(WebUtils.java:113) ~[?:?]
> {noformat}
> Decoding twice the URI might produce other incorrect results.
> Can you have a look? Thanks!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)