Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Shiro's InvalidRequestFilter blocks valid paths with encoded slashes #1025

Open
1 task done
haster opened this issue Aug 2, 2023 · 2 comments · May be fixed by #1026
Open
1 task done

[Bug] Shiro's InvalidRequestFilter blocks valid paths with encoded slashes #1025

haster opened this issue Aug 2, 2023 · 2 comments · May be fixed by #1026
Assignees
Labels
core Core Modules java Pull requests that update Java code pending-cla
Milestone

Comments

@haster
Copy link

haster commented Aug 2, 2023

Search before asking

  • I had searched in the issues and found no similar issues.

Environment

Wildfly 26

Shiro version

1.12.0

What was the actual outcome?

Shiro's InvalidRequestFilter blocks (returns a 400 Bad Request) any path containing an encoded forward slash (%2F) or period (%2E) anywhere when blockTraversal is true. (b67ff01)

Not allowing traversal for non-normalized paths seems like a good idea but indiscriminately blocking every encoded forward slash or period seems a bit strict.

For example, the following path would be blocked:
GET /mycompany/issuer/http:%2F%2Fmycompany.example.com/tokens (where the value of the path parameter 'issuer' would eventually be http://mycompany.example.com).

This is not path traversal, nor is a URL like
/mycompany/issuer/..%2F..%2F/,
though an overly enthusiastic decoding of such a URL could of course result in path traversal.

Maybe this should be a non-default 'extra strict' setting? With the default only blocking non-normalized paths?

What was the expected outcome?

Paths containing encoded forward slashes or periods are allowed by default.

How to reproduce

Start an application configured with a default shiro config (an application that listens to every path and simply consumes or echoes it for example),
and do a GET for an path such as
/mycompany/issuer/http:%2F%2Fmycompany.example.com/tokens

Debug logs

No response

@bdemers
Copy link
Member

bdemers commented Aug 2, 2023

My suggestion in the short term would be to set blockTraversal to false, and add a custom filter to implement a more flexible traversal blocking technique.

And then send us a pull request so everyone can benefit! 😎

@haster
Copy link
Author

haster commented Aug 2, 2023

Yeah, that was the way I was going also.

@lprimak lprimak added pending-cla java Pull requests that update Java code core Core Modules labels Aug 2, 2023
@lprimak lprimak added this to the 1.13.0 milestone Aug 2, 2023
@github-actions github-actions bot added the Stale label Nov 1, 2023
@lprimak lprimak modified the milestones: 1.13.0, 1.14.0 Nov 8, 2023
@github-actions github-actions bot removed the Stale label Nov 9, 2023
@github-actions github-actions bot added the Stale label Feb 8, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Feb 16, 2024
@lprimak lprimak reopened this Feb 16, 2024
@github-actions github-actions bot removed the Stale label Feb 17, 2024
@lprimak lprimak modified the milestones: 1.14.0, 2.0.1 Feb 28, 2024
@lprimak lprimak modified the milestones: 2.0.1, 2.0.2, Backlog May 20, 2024
@github-actions github-actions bot added the Stale label Aug 21, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 28, 2024
@lprimak lprimak reopened this Aug 28, 2024
@github-actions github-actions bot removed the Stale label Aug 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core Core Modules java Pull requests that update Java code pending-cla
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants