[
https://issues.apache.org/jira/browse/SHIRO-906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17719303#comment-17719303
]
Ronald Feicht edited comment on SHIRO-906 at 5/4/23 12:41 PM:
--------------------------------------------------------------
When I try to disable the InvalidRequestFilter by adding this line into my
shiro.ini:
invalidRequest.enabled = false
I get the following exception while deploying with Shiro version 1.11.0:
Caused by: java.lang.IllegalArgumentException: Configuration error. Specified
object [invalidRequest] with property [enabled] without first defining that
object's class. Please first specify the class property first, e.g. myObject =
fully_qualified_class_name and then define additional properties.
at
[email protected]//org.apache.shiro.config.ReflectionBuilder.applySingleProperty(ReflectionBuilder.java:389)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder.applyProperty(ReflectionBuilder.java:353)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder$AssignmentStatement.doExecute(ReflectionBuilder.java:999)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder$Statement.execute(ReflectionBuilder.java:931)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder$BeanConfigurationProcessor.execute(ReflectionBuilder.java:809)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder.buildObjects(ReflectionBuilder.java:288)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.buildInstances(IniSecurityManagerFactory.java:181)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:139)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:107)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:98)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:47)
at
[email protected]//org.apache.shiro.config.IniFactorySupport.createInstance(IniFactorySupport.java:150)
at
[email protected]//org.apache.shiro.util.AbstractFactory.getInstance(AbstractFactory.java:47)
at
deployment.Base.war//de.scsynergy.elementary.base.camel.Bootstrap.initializeShiro(Bootstrap.java:212)
at
deployment.Base.war//de.scsynergy.elementary.base.camel.Bootstrap.init(Bootstrap.java:85)
... 35 more
was (Author: scsynergy):
When I try to disable the InvalidRequestFilter by adding this line into my
shiro.ini:
invalidRequest.enabled = false
I get the following exception while deploying:
Caused by: java.lang.IllegalArgumentException: Configuration error. Specified
object [invalidRequest] with property [enabled] without first defining that
object's class. Please first specify the class property first, e.g. myObject =
fully_qualified_class_name and then define additional properties.
at
[email protected]//org.apache.shiro.config.ReflectionBuilder.applySingleProperty(ReflectionBuilder.java:389)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder.applyProperty(ReflectionBuilder.java:353)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder$AssignmentStatement.doExecute(ReflectionBuilder.java:999)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder$Statement.execute(ReflectionBuilder.java:931)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder$BeanConfigurationProcessor.execute(ReflectionBuilder.java:809)
at
[email protected]//org.apache.shiro.config.ReflectionBuilder.buildObjects(ReflectionBuilder.java:288)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.buildInstances(IniSecurityManagerFactory.java:181)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:139)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(IniSecurityManagerFactory.java:107)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:98)
at
[email protected]//org.apache.shiro.config.IniSecurityManagerFactory.createInstance(IniSecurityManagerFactory.java:47)
at
[email protected]//org.apache.shiro.config.IniFactorySupport.createInstance(IniFactorySupport.java:150)
at
[email protected]//org.apache.shiro.util.AbstractFactory.getInstance(AbstractFactory.java:47)
at
deployment.Base.war//de.scsynergy.elementary.base.camel.Bootstrap.initializeShiro(Bootstrap.java:212)
at
deployment.Base.war//de.scsynergy.elementary.base.camel.Bootstrap.init(Bootstrap.java:85)
... 35 more
> URIs like
> "/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf"
> are blocked
> -----------------------------------------------------------------------------------------------------------
>
> Key: SHIRO-906
> URL: https://issues.apache.org/jira/browse/SHIRO-906
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Affects Versions: 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1,
> 1.11.0, 1.11.1
> Reporter: Ronald Feicht
> Priority: Major
>
> When a user uploads a PDF document to this URI:
> [https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]
> which is the url-encoded form of
> "[https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbestätigung
>
> 18103101.pdf|https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]";
> an HTTP 400 response is generated by Shiro with this as the body:
> {color:#383838}<{color}{color:#800000}html{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#000000}
> {color}{color:#383838}<{color}{color:#800000}title{color}{color:#383838}>{color}{color:#000000}Error{color}{color:#383838}</{color}{color:#800000}title{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}body{color}{color:#383838}>{color}{color:#000000}Invalid
>
> request{color}{color:#383838}</{color}{color:#800000}body{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}html{color}{color:#383838}>{color}
>
> {color:#383838}With Shiro version 1.6.0 the upload worked.
> {color}{color:#383838}Digging through Shiro's code I found {color}
> {color:#383838}org.apache.shiro.web.filter.InvalidRequestFilter line
> 67:{color}
> {color:#383838}return !StringUtils.hasText(uri){color}
> {color:#383838}which means that a URI which is null or has zero length or
> consists only of whitespace should be considered a valid URI. I am pretty
> sure this is not what the author intended and that the "!" just needs to be
> removed to fix this bug.{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
