[jira] [Commented] (SHIRO-826) HTTP 400 with encoded umlauts in URL

Mon, 19 Jul 2021 15:30:05 -0700 


    [ 
https://issues.apache.org/jira/browse/SHIRO-826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17383639#comment-17383639
 ] 

Brian Demers commented on SHIRO-826:
------------------------------------

Hey [~sgessner]!

 

I just had a chance to dig into this a bit more. 

In Shiro 1.7 we introduced a global filtering mechanism.  One of the default 
filters checks for non-ascii characters, specifically in your case it looks 
like it's failing here:

[https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/web/src/main/java/org/apache/shiro/web/filter/InvalidRequestFilter.java#L62]

 

The quick workaround is to disable the filter (to revert to the previous 
behavior):
{code:java}
    @Configuration
    static class Config extends AbstractShiroWebFilterConfiguration {

        @Bean
        @Override
        public ShiroFilterFactoryBean shiroFilterFactoryBean() {
            ShiroFilterFactoryBean bean = super.shiroFilterFactoryBean();
            InvalidRequestFilter invalidRequestFilter = new 
InvalidRequestFilter();
            invalidRequestFilter.setBlockNonAscii(false);
            bean.getFilters().put("invalidRequest", invalidRequestFilter);
            return bean;
        }
    }
{code}
 
For anyone using a `shiro.ini` file the equivalent should be:
{code}
invalidRequest.invalidRequest = false
{code}
 

We need to make these types of changes more visible, both in the Shiro docs, 
and the release notes.
(possibly with some debug/trace logging to, to help anyone in the future)

> HTTP 400 with encoded umlauts in URL
> ------------------------------------
>
>                 Key: SHIRO-826
>                 URL: https://issues.apache.org/jira/browse/SHIRO-826
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.7.1
>            Reporter: Sita Geßner
>            Priority: Major
>         Attachments: debug.log, error-request-with-umlauts.png, 
> localhost_access_log.2021-07-19.txt, success-request-without-umlauts.png
>
>
> I've updated shiro from version 1.4.2 to 1.7.1.
>  
> I have an rest-endpoint with an Pathvariable:
> {code:java}
> @RestController
> @RequestMapping(value = "/inspektor/verjaehrungs-agent")
> @Slf4j
> public class MyRestController    
>     @GetMapping("/profile/{name}")
>     public Profile getProfile(@PathVariable final String name) {
>         return service.getProfile(name);
>     }
> {code}
> When requesting with the Pathvariable name "Test 123" everything works fine. 
> When requesting with the Pathvariable name "Test ö" I'm getting an HTTP 400.
> This error occurs also, when I encode the Pathvariable to "TEST%20%C3%B6".
>  
> Before the update, everything was fine.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to