[
https://issues.apache.org/jira/browse/SHIRO-766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17100557#comment-17100557
]
Christoffer Eide commented on SHIRO-766:
----------------------------------------
Hi. Sorry, I should have provided more details when creating the issue.
Yes, this is mostly log spam. But this error doesn't occur that often.
In addition to the log spam, requests started failing, but that was caused by
us using the {{CookieRememberMeManager}} directly.
We were doing:
{code:lang=java}
try {
return cookieRememberMeManager.getRememberedPrincipals(context);
}catch (ShiroException e){
}
{code}
The {{ArrayIndexOutOfBoundsException}} caught me by surprise.
We don't have two applications running on the same domain. We noticed this
problem when a client tried to use an incorrectly url encoded rememberMe cookie.
Here is the cookie value causing the problem:
{noformat}
cmVmcmVzaC10b2tlbi25D9%2Bdf8P%2Fa9ehyy7lV3j0MdQ7nd9BFecA4tmOAF%2BuN4VdiYaMfSrb7yb3mmxyxUGjsQnWzfe8H52We%2BrGmL%2F0I63yxF7hE7o9jd%2B43NEaWh5WBiCkNRg5Bl2r9QT1od8
{noformat}
> ArrayIndexOutOfBoundsException in Base64#decode
> -----------------------------------------------
>
> Key: SHIRO-766
> URL: https://issues.apache.org/jira/browse/SHIRO-766
> Project: Shiro
> Issue Type: Bug
> Components: RememberMe
> Reporter: Christoffer Eide
> Priority: Minor
> Fix For: 1.5.4
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> While investigating a bug in our application, I stumbled upon this mail
> thread:
> https://www.mail-archive.com/[email protected]/msg05654.html
> We have encountered the same issue.
> In
> {{org.apache.shiro.web.mgt.CookieRememberMeManager#getRememberedSerializedIdentity}}:
> {code}
> String base64 = getCookie().readValue(request, response);
> base64 = ensurePadding(base64);
> byte[] decoded = Base64.decode(base64);
> {code}
> If the cookie value contains characters that are not valid base64, the call
> to {{Base64.decode}}, fails with:
> {noformat}
> java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length 30
> at org.apache.shiro.codec.Base64.decode(Base64.java:470)
> at org.apache.shiro.codec.Base64.decode(Base64.java:414)
> {noformat}
> It can be reproduced like this:
> {code}
> Base64.decode(ensurePadding("383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm"))
> {code}
> If the same value is passed to guavas base64 encoder, it fails with:
> {noformat}
> com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: -
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
