Re: [PR] [#1025] - Shiro's InvalidRequestFilter blocks valid paths with encoded slashes [shiro]

via GitHub Sun, 18 Jan 2026 22:47:22 -0800


lprimak commented on code in PR #1026:
URL: https://github.com/apache/shiro/pull/1026#discussion_r2703428044



##########
web/src/main/java/org/apache/shiro/web/util/WebUtils.java:
##########
@@ -116,7 +116,7 @@ private WebUtils() {
      * @return the path within the web application
      */
     public static String getPathWithinApplication(HttpServletRequest request) {
-        return normalize(removeSemicolon(getServletPath(request) + 
getPathInfo(request)));
+        return normalize(decodeAndCleanUriString(request, 
getServletPath(request) + getPathInfo(request)));

Review Comment:
   This is the key line. This should help us plug up auth bypass once and for 
all



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [#1025] - Shiro's InvalidRequestFilter blocks valid paths with encoded slashes [shiro]

Reply via email to