[
https://issues.apache.org/jira/browse/SHIRO-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17143916#comment-17143916
]
Brian Demers edited comment on SHIRO-753 at 6/24/20, 3:13 PM:
--------------------------------------------------------------
[~sourabhsparkala] The line you referenced is no longer used by Shiro. It is
part of the public API, and was marked deprecated. Usage outside of this
method outside of the Shiro project would be unrelated to this CVE.
Also, if/when you think you see a security-related issue in the future please
contact our security list ([email protected]) first (for more details
see: [https://www.apache.org/security/])
was (Author: bdemers):
[~sourabhsparkala] The line you referenced is no longer used by Shiro. It is
part of the public API, and was marked deprecated. Usage outside of this
message outside of the Shiro project would be unrelated to this CVE.
Also, if/when you think you see a security-related issue in the future please
contact our security list ([email protected]) first (for more details
see: [https://www.apache.org/security/])
> Regression in URI parsing in Shiro 1.5.2
> ----------------------------------------
>
> Key: SHIRO-753
> URL: https://issues.apache.org/jira/browse/SHIRO-753
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Affects Versions: 1.5.2
> Reporter: Antoine DESSAIGNE
> Priority: Critical
> Fix For: 1.5.3
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Hello everyone,
> In Shiro 1.5.2, {{WebUtils.getRequestURI()}} no longer support paths with '%'
> character in it
> In Shiro 1.5.1, when the path is "A%B" then the String URI retrieved from
> {{request.getRequestURI()}} returns "A%25B" which is properly decoded
> afterward by the {{decodeAndCleanUriString}} method.
> In Shiro 1.5.2, when the path is "A%B" then the String URI reconstructed from
> context+path+pathInfo returns "A%B" (it's already decoded) which crashes when
> calling {{decodeAndCleanUriString}}
> {noformat}
> Caused by: java.lang.IllegalArgumentException: URLDecoder: Illegal hex
> characters in escape (%) pattern - Error at index 1 in: "B/"
> at java.net.URLDecoder.decode(URLDecoder.java:232) ~[?:?]
> at java.net.URLDecoder.decode(URLDecoder.java:142) ~[?:?]
> at
> org.apache.shiro.web.util.WebUtils.decodeRequestString(WebUtils.java:357)
> ~[?:?]
> at
> org.apache.shiro.web.util.WebUtils.decodeAndCleanUriString(WebUtils.java:242)
> ~[?:?]
> at org.apache.shiro.web.util.WebUtils.getRequestUri(WebUtils.java:143)
> ~[?:?]
> at
> org.apache.shiro.web.util.WebUtils.getPathWithinApplication(WebUtils.java:113)
> ~[?:?]
> {noformat}
> Decoding twice the URI might produce other incorrect results.
> Can you have a look? Thanks!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
