[
https://issues.apache.org/jira/browse/SHIRO-906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17719278#comment-17719278
]
Ronald Feicht edited comment on SHIRO-906 at 5/4/23 11:33 AM:
--------------------------------------------------------------
I did not specify the InvalidRequestFilter to be part of my filter chain, it
seems to be injected into the chain by default which is probably not what
people want or at least it should be part of the documentation that
InvalidRequestFilter is always part of the filter chain with no way to remove
it through configuration.
My filter chain:
/rest/** = noSessionCreation, ssl[443], authcBasic
Apart from that I am fairly sure that the method isValid(...) should not return
true for URIs which are null or all whitespace.
was (Author: scsynergy):
I did not specify the InvalidRequestFilter to be part of my filter chain, it
seems to be injected into the chain by default which is probably not what
people want or at least it should be part of the documentation that
InvalidRequestFilter is always part of the filter chain with no way to remove
it through configuration.
Apart from that I am fairly sure that the method isValid(...) should not return
true for URIs which are null or all whitespace.
> URIs like
> "/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf"
> are blocked
> -----------------------------------------------------------------------------------------------------------
>
> Key: SHIRO-906
> URL: https://issues.apache.org/jira/browse/SHIRO-906
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Affects Versions: 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1,
> 1.11.0, 1.11.1
> Reporter: Ronald Feicht
> Priority: Major
>
> When a user uploads a PDF document to this URI:
> [https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]
> which is the url-encoded form of
> "[https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbestätigung
>
> 18103101.pdf|https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]";
> an HTTP 400 response is generated by Shiro with this as the body:
> {color:#383838}<{color}{color:#800000}html{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#000000}
> {color}{color:#383838}<{color}{color:#800000}title{color}{color:#383838}>{color}{color:#000000}Error{color}{color:#383838}</{color}{color:#800000}title{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}body{color}{color:#383838}>{color}{color:#000000}Invalid
>
> request{color}{color:#383838}</{color}{color:#800000}body{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}html{color}{color:#383838}>{color}
>
> {color:#383838}With Shiro version 1.6.0 the upload worked.
> {color}{color:#383838}Digging through Shiro's code I found {color}
> {color:#383838}org.apache.shiro.web.filter.InvalidRequestFilter line
> 67:{color}
> {color:#383838}return !StringUtils.hasText(uri){color}
> {color:#383838}which means that an URI which is null or has zero length or
> consists only of whitespace should be considered a valid URI. I am pretty
> sure this is not what the author intended and that the "!" just needs to be
> removed to fix this bug.{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
