GitHub user lprimak created a discussion: [Discussion] How to systematically deal with "auth bypass" issues
### Discussion Currently, every few weeks, Shiro projects receives a security vulnerability report. All of these reports are very similar in nature, but only slightly vary. The themes are as follows: - Authentication directives do not work exactly as Spring does, thus leading to confusion and perceived as auth bypass - Some obscure characters and URL encoding or upper/lower-case lead to perceived auth bypass and confusion We need to figure out what to do with those reports. Currently, there isn't even an agreement whether these are or are not a true security issues. #### Proposal - Update documentation with a big disclaimer that the Ant pattern that's used in Shiro is not the same as Spring, so it can be easily linked to when security reports come in referencing this. - Put the same disclaimer into security vulnerability issue template. - URLdecode all incoming URLs, and then disallow any non-alphanumeric characters that go into authentication matching algorighm. Please discuss. Thank you GitHub link: https://github.com/apache/shiro/discussions/2412 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
