You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Brian Demers (Jira)" <ji...@apache.org> on 2020/06/24 15:14:00 UTC

[jira] [Comment Edited] (SHIRO-753) Regression in URI parsing in Shiro 1.5.2

    [ https://issues.apache.org/jira/browse/SHIRO-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17143916#comment-17143916 ] 

Brian Demers edited comment on SHIRO-753 at 6/24/20, 3:13 PM:
--------------------------------------------------------------

[~sourabhsparkala] The line you referenced is no longer used by Shiro.  It is part of the public API, and was marked deprecated.  Usage outside of this method outside of the Shiro project would be unrelated to this CVE.

 

Also, if/when you think you see a security-related issue in the future please contact our security list (security@shiro.apache.org) first (for more details see: [https://www.apache.org/security/])


was (Author: bdemers):
[~sourabhsparkala] The line you referenced is no longer used by Shiro.  It is part of the public API, and was marked deprecated.  Usage outside of this message outside of the Shiro project would be unrelated to this CVE.

 

Also, if/when you think you see a security-related issue in the future please contact our security list (security@shiro.apache.org) first (for more details see: [https://www.apache.org/security/])

> Regression in URI parsing in Shiro 1.5.2
> ----------------------------------------
>
>                 Key: SHIRO-753
>                 URL: https://issues.apache.org/jira/browse/SHIRO-753
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.5.2
>            Reporter: Antoine DESSAIGNE
>            Priority: Critical
>             Fix For: 1.5.3
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Hello everyone,
> In Shiro 1.5.2, {{WebUtils.getRequestURI()}} no longer support paths with '%' character in it
> In Shiro 1.5.1, when the path is "A%B" then the String URI retrieved from {{request.getRequestURI()}} returns "A%25B" which is properly decoded afterward by the {{decodeAndCleanUriString}} method.
> In Shiro 1.5.2, when the path is "A%B" then the String URI reconstructed from context+path+pathInfo returns "A%B" (it's already decoded) which crashes when calling {{decodeAndCleanUriString}}
> {noformat}
> Caused by: java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - Error at index 1 in: "B/"
>     at java.net.URLDecoder.decode(URLDecoder.java:232) ~[?:?]
>     at java.net.URLDecoder.decode(URLDecoder.java:142) ~[?:?]
>     at org.apache.shiro.web.util.WebUtils.decodeRequestString(WebUtils.java:357) ~[?:?]
>     at org.apache.shiro.web.util.WebUtils.decodeAndCleanUriString(WebUtils.java:242) ~[?:?]
>     at org.apache.shiro.web.util.WebUtils.getRequestUri(WebUtils.java:143) ~[?:?]
>     at org.apache.shiro.web.util.WebUtils.getPathWithinApplication(WebUtils.java:113) ~[?:?]
> {noformat}
> Decoding twice the URI might produce other incorrect results.
> Can you have a look? Thanks!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)