New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Shiro's InvalidRequestFilter blocks valid paths with encoded slashes #1025
Labels
Milestone
Comments
My suggestion in the short term would be to set And then send us a pull request so everyone can benefit! 😎 |
Yeah, that was the way I was going also. |
10 tasks
lprimak
added
pending-cla
java
Pull requests that update Java code
core
Core Modules
labels
Aug 2, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Search before asking
Environment
Wildfly 26
Shiro version
1.12.0
What was the actual outcome?
Shiro's InvalidRequestFilter blocks (returns a 400 Bad Request) any path containing an encoded forward slash (%2F) or period (%2E) anywhere when blockTraversal is true. (b67ff01)
Not allowing traversal for non-normalized paths seems like a good idea but indiscriminately blocking every encoded forward slash or period seems a bit strict.
For example, the following path would be blocked:
GET /mycompany/issuer/http:%2F%2Fmycompany.example.com/tokens
(where the value of the path parameter 'issuer' would eventually behttp://mycompany.example.com
).This is not path traversal, nor is a URL like
/mycompany/issuer/..%2F..%2F/
,though an overly enthusiastic decoding of such a URL could of course result in path traversal.
Maybe this should be a non-default 'extra strict' setting? With the default only blocking non-normalized paths?
What was the expected outcome?
Paths containing encoded forward slashes or periods are allowed by default.
How to reproduce
Start an application configured with a default shiro config (an application that listens to every path and simply consumes or echoes it for example),
and do a GET for an path such as
/mycompany/issuer/http:%2F%2Fmycompany.example.com/tokens
Debug logs
No response
The text was updated successfully, but these errors were encountered: