[
https://issues.apache.org/jira/browse/SHIRO-801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236254#comment-17236254
]
Brian Demers commented on SHIRO-801:
------------------------------------
There are a few unicode based attacks,
[https://owasp.org/www-community/attacks/Unicode_Encoding]
That doesn't mean that your application is susceptible to them, to revert the
previous behavior, you can set
{{invalidRequest.blockNonAscii = false}}
See: https://shiro.apache.org/web.html#global-filters
> Shiro blocks requests with non-ACII characters in the URL path
> --------------------------------------------------------------
>
> Key: SHIRO-801
> URL: https://issues.apache.org/jira/browse/SHIRO-801
> Project: Shiro
> Issue Type: Bug
> Affects Versions: 1.7.0
> Reporter: Tuure Laurinolli
> Priority: Major
>
> When trying to upgrade to Shiro 1.7.0 we noticed that some of our tests
> started failing. The tests validate that scandinavian characters (äöå) can be
> used in object ids in our system.
> It appears that SHIRO-794 changed URL validation so that scandinavian
> characters are no longer allowed in the decoded path component of the URL.
> The relevant code change is
> [https://github.com/apache/shiro/commit/a28300448ae6c4bb78a8ba626b0cacb00f82d5f8#diff-bd4bf9dfa4cc7521c708850ac5d397fee22b021ea09a3a91f7ce1587abc287d7|https://github.com/apache/shiro/commit/a28300448ae6c4bb78a8ba626b0cacb00f82d5f8#diff-bd4bf9dfa4cc7521c708850ac5d397fee22b021ea09a3a91f7ce1587abc287d7.]
> Is there some reason to not allow non-ASCII characters in the URL path?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
