[
https://issues.apache.org/jira/browse/SHIRO-753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Antoine DESSAIGNE updated SHIRO-753:
------------------------------------
Description:
Hello everyone,
In Shiro 1.5.2, {{WebUtils.getRequestURI()}} no longer support paths with '%'
character in it
In Shiro 1.5.1, when the path is "A%B" then the String URI retrieved from
{{request.getRequestURI()}} returns "A%25B" which is properly decoded afterward
by the {{decodeAndCleanUriString}} method.
In Shiro 1.5.2, when the path is "A%B" then the String URI reconstructed from
context+path+pathInfo returns "A%B" (it's already decoded) which crashes when
calling {{decodeAndCleanUriString}}
{noformat}
Caused by: java.lang.IllegalArgumentException: URLDecoder: Illegal hex
characters in escape (%) pattern - Error at index 1 in: "B/"
at java.net.URLDecoder.decode(URLDecoder.java:232) ~[?:?]
at java.net.URLDecoder.decode(URLDecoder.java:142) ~[?:?]
at
org.apache.shiro.web.util.WebUtils.decodeRequestString(WebUtils.java:357) ~[?:?]
at
org.apache.shiro.web.util.WebUtils.decodeAndCleanUriString(WebUtils.java:242)
~[?:?]
at org.apache.shiro.web.util.WebUtils.getRequestUri(WebUtils.java:143)
~[?:?]
at
org.apache.shiro.web.util.WebUtils.getPathWithinApplication(WebUtils.java:113)
~[?:?]
{noformat}
Decoding twice the URI might produce other incorrect results.
Can you have a look? Thanks!
was:
Hello everyone,
In Shiro 1.5.2, {{WebUtils.getRequestURI()}} no longer support paths with '%'
character in it
In Shiro 1.5.1, when the path is "A%B" then the String URI retrieved from
{{request.getRequestURI()}} returns "A%25B" which is properly decoded afterward
by the {{decodeAndCleanUriString}} method.
In Shiro 1.5.2, when the path is "A%B" then the String URI reconstructed from
context+path+pathInfo returns "A%B" (it's already decoded) which crashes when
calling {{decodeAndCleanUriString}}
{noformat}
Caused by: java.lang.IllegalArgumentException: URLDecoder: Illegal hex
characters in escape (%) pattern - Error at index 1 in: "B/"
at java.net.URLDecoder.decode(URLDecoder.java:232) ~[?:?]
at java.net.URLDecoder.decode(URLDecoder.java:142) ~[?:?]
at
org.apache.shiro.web.util.WebUtils.decodeRequestString(WebUtils.java:357) ~[?:?]
at
org.apache.shiro.web.util.WebUtils.decodeAndCleanUriString(WebUtils.java:242)
~[?:?]
at org.apache.shiro.web.util.WebUtils.getRequestUri(WebUtils.java:143)
~[?:?]
at
org.apache.shiro.web.util.WebUtils.getPathWithinApplication(WebUtils.java:113)
~[?:?]
{noformat}
Can you have a look? Thanks!
> Regression in URI parsing in Shiro 1.5.2
> ----------------------------------------
>
> Key: SHIRO-753
> URL: https://issues.apache.org/jira/browse/SHIRO-753
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Affects Versions: 1.5.2
> Reporter: Antoine DESSAIGNE
> Priority: Critical
>
> Hello everyone,
> In Shiro 1.5.2, {{WebUtils.getRequestURI()}} no longer support paths with '%'
> character in it
> In Shiro 1.5.1, when the path is "A%B" then the String URI retrieved from
> {{request.getRequestURI()}} returns "A%25B" which is properly decoded
> afterward by the {{decodeAndCleanUriString}} method.
> In Shiro 1.5.2, when the path is "A%B" then the String URI reconstructed from
> context+path+pathInfo returns "A%B" (it's already decoded) which crashes when
> calling {{decodeAndCleanUriString}}
> {noformat}
> Caused by: java.lang.IllegalArgumentException: URLDecoder: Illegal hex
> characters in escape (%) pattern - Error at index 1 in: "B/"
> at java.net.URLDecoder.decode(URLDecoder.java:232) ~[?:?]
> at java.net.URLDecoder.decode(URLDecoder.java:142) ~[?:?]
> at
> org.apache.shiro.web.util.WebUtils.decodeRequestString(WebUtils.java:357)
> ~[?:?]
> at
> org.apache.shiro.web.util.WebUtils.decodeAndCleanUriString(WebUtils.java:242)
> ~[?:?]
> at org.apache.shiro.web.util.WebUtils.getRequestUri(WebUtils.java:143)
> ~[?:?]
> at
> org.apache.shiro.web.util.WebUtils.getPathWithinApplication(WebUtils.java:113)
> ~[?:?]
> {noformat}
> Decoding twice the URI might produce other incorrect results.
> Can you have a look? Thanks!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
