gong created SHIRO-682:
--------------------------
Summary: fix the potential threat when use "uri = uri + '/' " to
bypassed shiro protect
Key: SHIRO-682
URL: https://issues.apache.org/jira/browse/SHIRO-682
Project: Shiro
Issue Type: Bug
Components: Web
Affects Versions: 1.3.2
Reporter: gong
Fix For: 1.3.2
hi, the potential threat found when use shiro filter.
in spring web, the {{requestURI :}} {{/resource/menus}} and
{{resource/menus/}} both can access the resource,
but the {{pathPattern}} match {{/resource/menus}} can not match
{{resource/menus/}}
user can use {{requestURI}} + {{"/"}} to simply bypassed chain filter, to
bypassed shiro protect
[PR #127|[https://github.com/apache/shiro/pull/127]]
:)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
