[jira] [Comment Edited] (SHIRO-509) WebUtils.decodeAndCleanUriString incorrectly handles matrix parameters

Tue, 06 Oct 2015 12:28:26 -0700 

    [ 
https://issues.apache.org/jira/browse/SHIRO-509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14945614#comment-14945614
 ] 

Ariel Isaac edited comment on SHIRO-509 at 10/6/15 7:19 PM:
------------------------------------------------------------

Hey that was a sharp deduction, Then would be something like this? 

{code:borderStyle=solid}
 private static String decodeAndCleanUriString(HttpServletRequest request, 
String uri) {
        uri = decodeRequestString(request, uri);
        int semicolonIndex = uri.indexOf(';');
        int slashIndex= uri.lastIndexOf('/');
        int untilIndex;
        untilIndex= semicolonIndex>slashIndex ? semicolonIndex:slashIndex;
        return (semicolonIndex != -1 ? uri.substring(0, untilIndex) : uri);
    }

{code}


was (Author: aisaac):
Then would be something like this? 

{code:borderStyle=solid}
 private static String decodeAndCleanUriString(HttpServletRequest request, 
String uri) {
        uri = decodeRequestString(request, uri);
        int semicolonIndex = uri.indexOf(';');
        int slashIndex= uri.lastIndexOf('/');
        int untilIndex;
        untilIndex= semicolonIndex>slashIndex ? semicolonIndex:slashIndex;
        return (semicolonIndex != -1 ? uri.substring(0, untilIndex) : uri);
    }

{code}

> WebUtils.decodeAndCleanUriString incorrectly handles matrix parameters
> ----------------------------------------------------------------------
>
>                 Key: SHIRO-509
>                 URL: https://issues.apache.org/jira/browse/SHIRO-509
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.2.2
>         Environment: Webapp deployment in Jetty
>            Reporter: Mark Hale
>
> If I config a web filter (say anon) for a path /**/public and make a request 
> to /mystuff;filter=toys/prices/public the filter is not triggered because 
> WebUtils.decodeAndCleanUriString() removes everything after the ';' (so it 
> only tries to match on /mystuff). The fix is to change
>         int semicolonIndex = uri.indexOf(';');
> to
>         int lastSlash = uri.lastIndexOf('/');
>         int semicolonIndex = uri.lastIndexOf(';');
> if(semicolonIndex > lastSlash) then drop trailing matrix params. So that 
> matrix params in parent path segments are left intact.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to