shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ariel Isaac (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SHIRO-509) WebUtils.decodeAndCleanUriString incorrectly handles matrix parameters
Date Tue, 06 Oct 2015 19:20:26 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14945614#comment-14945614
] 

Ariel Isaac edited comment on SHIRO-509 at 10/6/15 7:19 PM:
------------------------------------------------------------

Hey that was a sharp deduction, Then would be something like this? 

{code:borderStyle=solid}
 private static String decodeAndCleanUriString(HttpServletRequest request, String uri) {
        uri = decodeRequestString(request, uri);
        int semicolonIndex = uri.indexOf(';');
        int slashIndex= uri.lastIndexOf('/');
        int untilIndex;
        untilIndex= semicolonIndex>slashIndex ? semicolonIndex:slashIndex;
        return (semicolonIndex != -1 ? uri.substring(0, untilIndex) : uri);
    }

{code}


was (Author: aisaac):
Then would be something like this? 

{code:borderStyle=solid}
 private static String decodeAndCleanUriString(HttpServletRequest request, String uri) {
        uri = decodeRequestString(request, uri);
        int semicolonIndex = uri.indexOf(';');
        int slashIndex= uri.lastIndexOf('/');
        int untilIndex;
        untilIndex= semicolonIndex>slashIndex ? semicolonIndex:slashIndex;
        return (semicolonIndex != -1 ? uri.substring(0, untilIndex) : uri);
    }

{code}

> WebUtils.decodeAndCleanUriString incorrectly handles matrix parameters
> ----------------------------------------------------------------------
>
>                 Key: SHIRO-509
>                 URL: https://issues.apache.org/jira/browse/SHIRO-509
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.2.2
>         Environment: Webapp deployment in Jetty
>            Reporter: Mark Hale
>
> If I config a web filter (say anon) for a path /**/public and make a request to /mystuff;filter=toys/prices/public
the filter is not triggered because WebUtils.decodeAndCleanUriString() removes everything
after the ';' (so it only tries to match on /mystuff). The fix is to change
>         int semicolonIndex = uri.indexOf(';');
> to
>         int lastSlash = uri.lastIndexOf('/');
>         int semicolonIndex = uri.lastIndexOf(';');
> if(semicolonIndex > lastSlash) then drop trailing matrix params. So that matrix params
in parent path segments are left intact.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message