[jira] [Commented] (SHIRO-906) URIs like "/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf" are blocked

[Ronald Feicht (Jira)]

    [ 
https://issues.apache.org/jira/browse/SHIRO-906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17719344#comment-17719344
 ] 

Ronald Feicht commented on SHIRO-906:
-------------------------------------

Maybe that is because we load our ini from MongoDB and initialize Shiro as 
WebListener and not through web.xml (we do not have a web.xml)?

public abstract class ModuleInitializer extends EnvironmentLoaderListener {

...

@Override
    protected void customizeEnvironment(WebEnvironment environment) {
        SSLContext sslContext = 
SSLContextConfiguration.createIsolatedSSLContextForAlias(MONGODBALIAS);
        MongoClientSettings.Builder settings = 
MongoClientSettings.builder().applyConnectionString(new 
ConnectionString(MongoProvider.getConnectionString()));
        if (sslContext != null) {
            settings.applyToSslSettings((SslSettings.Builder builder) -> 
builder.enabled(true).context(sslContext).build());
        }
        try (MongoClient mongoClient = MongoClients.create(settings.build())) {
            MongoCollection<Document> collection = 
mongoClient.getDatabase(MongoProvider.getConfiguratorDatabaseName()).getCollection("shiro-ini");
            MongoCursor<Document> cursor = collection.find().sort(new 
Document("timestamp", -1)).limit(1).iterator();
            if (cursor != null && cursor.hasNext()) {
                String iniFile = cursor.next().get("conf").toString();
                Ini ini = new Ini();
                ini.load(iniFile);
                String realms = ini.getSectionProperty("main", 
"securityManager.realms");
                if (realms != null && !realms.contains(CamelRealm.CAMELREALM)) {
                    ini.setSectionProperty("main", "securityManager.realms", 
"$" + CamelRealm.CAMELREALM + ", " + "$" + SessionRealm.NAME + ", " + realms + 
", " + "$" + NoCredentialsRealm.NAME);
                }
                ((CdiIniWebEnvironment) environment).setIni(ini);
            }
        }
    }

    @Override
    protected WebEnvironment determineWebEnvironment(ServletContext 
servletContext) {
        return (WebEnvironment) 
ClassUtils.newInstance(CdiIniWebEnvironment.class);
    }

    private void initializeShiro(ServletContextEvent sce) {
        FilterRegistration.Dynamic dynamic = 
sce.getServletContext().addFilter("ShiroFilter", 
"org.apache.shiro.web.servlet.ShiroFilter");
        dynamic.setAsyncSupported(true);
        EnumSet<DispatcherType> enumSet = EnumSet.of(REQUEST, FORWARD, INCLUDE, 
ERROR, ASYNC);
        dynamic.addMappingForUrlPatterns(enumSet, true, "/*");
    }

 

...

}

> URIs like 
> "/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf"
>  are blocked
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-906
>                 URL: https://issues.apache.org/jira/browse/SHIRO-906
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 
> 1.11.0, 1.11.1
>            Reporter: Ronald Feicht
>            Priority: Major
>
> When a user uploads a PDF document to this URI:
> [https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]
> which is the url-encoded form of
> "[https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbestätigung
>  
> 18103101.pdf|https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf]";
> an HTTP 400 response is generated by Shiro with this as the body:
> {color:#383838}<{color}{color:#800000}html{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#000000} 
> {color}{color:#383838}<{color}{color:#800000}title{color}{color:#383838}>{color}{color:#000000}Error{color}{color:#383838}</{color}{color:#800000}title{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}head{color}{color:#383838}>{color}
> {color:#383838}<{color}{color:#800000}body{color}{color:#383838}>{color}{color:#000000}Invalid
>  
> request{color}{color:#383838}</{color}{color:#800000}body{color}{color:#383838}>{color}
> {color:#383838}</{color}{color:#800000}html{color}{color:#383838}>{color}
>  
> {color:#383838}With Shiro version 1.6.0 the upload worked. 
> {color}{color:#383838}Digging through Shiro's code I found {color}
> {color:#383838}org.apache.shiro.web.filter.InvalidRequestFilter line 
> 67:{color}
> {color:#383838}return !StringUtils.hasText(uri){color}
> {color:#383838}which means that a URI which is null or has zero length or 
> consists only of whitespace should be considered a valid URI. I am pretty 
> sure this is not what the author intended and that the "!" just needs to be 
> removed to fix this bug.{color}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@shiro.apache.org
For additional commands, e-mail: issues-h...@shiro.apache.org