You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Benjamin Marwell (Jira)" <ji...@apache.org> on 2021/08/18 20:38:00 UTC
[jira] [Updated] (SHIRO-629) WildcardPermission syntax
[ https://issues.apache.org/jira/browse/SHIRO-629?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benjamin Marwell updated SHIRO-629:
-----------------------------------
Description:
While looking at the WildcardPermission I see it allows a much wider range of usage then used in all the examples I've seen. Looking at the implementation I notice it is not verifying. I also noted that there is no escaping for matching the [*:,] tokens in the target permission. I think the examples follow the grammar like:
{{permission ::= part ( ':' part ) *}}
{{ part ::= wildcard | options}}
{{ wildcard ::= '*'}}
{{ options ::= literal ( ',' literal )}}
{{ literal ::= [^*:,]+}}
This should disallow permissions like "abc*def", "abc:def,*:foo", "abc:", "x:::::::::::::::". However, the implementation seems to more or less allow anything without warnings or errors. Is this intentional?
Last, the implementation looks quite expensive since it requires for each construction numerous lists, sets, and arrays. It also executes n*m a regular expression operations for the split. Since the target permission could be constructed frequently since it contains the parameters this is imho very costly.
Therefore it would be nice if a formal grammar including the character set and escaping.
was:
While looking at the WildcardPermission I see it allows a much wider range of usage then used in all the examples I've seen. Looking at the implementation I notice it is not verifying. I also noted that there is no escaping for matching the [*:,] tokens in the target permission. I think the examples follow the grammar like:
permission ::= part ( ':' part ) *
part ::= wildcard | options
wildcard ::= '*'
options ::= literal ( ',' literal )
literal ::= [^*:,]+
This should disallow permissions like "abc*def", "abc:def,*:foo", "abc:", "x:::::::::::::::". However, the implementation seems to more or less allow anything without warnings or errors. Is this intentional?
Last, the implementation looks quite expensive since it requires for each construction numerous lists, sets, and arrays. It also executes n*m a regular expression operations for the split. Since the target permission could be constructed frequently since it contains the parameters this is imho very costly.
Therefore it would be nice if a formal grammar including the character set and escaping.
> WildcardPermission syntax
> -------------------------
>
> Key: SHIRO-629
> URL: https://issues.apache.org/jira/browse/SHIRO-629
> Project: Shiro
> Issue Type: Question
> Components: Authorization (access control)
> Reporter: Peter Kriens
> Priority: Critical
>
> While looking at the WildcardPermission I see it allows a much wider range of usage then used in all the examples I've seen. Looking at the implementation I notice it is not verifying. I also noted that there is no escaping for matching the [*:,] tokens in the target permission. I think the examples follow the grammar like:
> {{permission ::= part ( ':' part ) *}}
> {{ part ::= wildcard | options}}
> {{ wildcard ::= '*'}}
> {{ options ::= literal ( ',' literal )}}
> {{ literal ::= [^*:,]+}}
> This should disallow permissions like "abc*def", "abc:def,*:foo", "abc:", "x:::::::::::::::". However, the implementation seems to more or less allow anything without warnings or errors. Is this intentional?
> Last, the implementation looks quite expensive since it requires for each construction numerous lists, sets, and arrays. It also executes n*m a regular expression operations for the split. Since the target permission could be constructed frequently since it contains the parameters this is imho very costly.
> Therefore it would be nice if a formal grammar including the character set and escaping.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)