boris-petrov commented on code in PR #1026:
URL: https://github.com/apache/shiro/pull/1026#discussion_r2736458237
##########
web/src/main/java/org/apache/shiro/web/filter/InvalidRequestFilter.java:
##########
@@ -205,35 +189,52 @@ public void setBlockNonAscii(boolean blockNonAscii) {
this.blockNonAscii = blockNonAscii;
}
- public boolean isBlockTraversal() {
- return blockTraversal;
+ public PathTraversalBlockMode getPathTraversalBlockMode() {
+ return pathTraversalBlockMode;
}
- public void setBlockTraversal(boolean blockTraversal) {
- this.blockTraversal = blockTraversal;
+ public void setBlockPathTraversal(PathTraversalBlockMode mode) {
+ this.pathTraversalBlockMode = mode;
}
public boolean isBlockEncodedPeriod() {
- return blockEncodedPeriod;
+ return pathTraversalBlockMode == PathTraversalBlockMode.STRICT;
}
public void setBlockEncodedPeriod(boolean blockEncodedPeriod) {
- this.blockEncodedPeriod = blockEncodedPeriod;
+ setBlockPathTraversal(blockEncodedPeriod ?
PathTraversalBlockMode.STRICT : PathTraversalBlockMode.NORMAL);
}
public boolean isBlockEncodedForwardSlash() {
- return blockEncodedForwardSlash;
+ return pathTraversalBlockMode == PathTraversalBlockMode.STRICT;
}
public void setBlockEncodedForwardSlash(boolean blockEncodedForwardSlash) {
- this.blockEncodedForwardSlash = blockEncodedForwardSlash;
+ setBlockPathTraversal(blockEncodedForwardSlash ?
PathTraversalBlockMode.STRICT : PathTraversalBlockMode.NORMAL);
}
public boolean isBlockRewriteTraversal() {
- return blockRewriteTraversal;
+ return pathTraversalBlockMode == PathTraversalBlockMode.NORMAL;
}
public void setBlockRewriteTraversal(boolean blockRewriteTraversal) {
- this.blockRewriteTraversal = blockRewriteTraversal;
+ setBlockPathTraversal(blockRewriteTraversal ?
PathTraversalBlockMode.NORMAL : PathTraversalBlockMode.NO_BLOCK);
+ }
+
+ /**
+ * @deprecated use {@link #getPathTraversalBlockMode()} instead
+ */
+ @Deprecated
+ public boolean isBlockTraversal() {
+ return pathTraversalBlockMode != PathTraversalBlockMode.NO_BLOCK;
+ }
+
+ /**
+ *
Review Comment:
This line can be removed.
##########
web/src/test/groovy/org/apache/shiro/web/filter/InvalidRequestFilterTest.groovy:
##########
@@ -39,10 +39,8 @@ class InvalidRequestFilterTest {
assertThat "filter.blockBackslash expected to be true",
filter.isBlockBackslash()
assertThat "filter.blockNonAscii expected to be true",
filter.isBlockNonAscii()
assertThat "filter.blockSemicolon expected to be true",
filter.isBlockSemicolon()
- assertThat "filter.blockTraversal expected to be true",
filter.isBlockTraversal()
Review Comment:
I see `isBlockTraversal` has been deprecated so it's fine to remove this
check. But why were the following three also removed?
##########
web/src/main/java/org/apache/shiro/web/filter/InvalidRequestFilter.java:
##########
@@ -40,15 +38,19 @@
* <li>Semicolon - can be disabled by setting {@code blockSemicolon =
false}</li>
* <li>Backslash - can be disabled by setting {@code blockBackslash =
false}</li>
* <li>Non-ASCII characters - can be disabled by setting {@code
blockNonAscii = false},
- * the ability to disable this check will be removed in future
version.</li>
+ * the ability to disable this check will be removed in future
version.</li>
* <li>Path traversals - can be disabled by setting {@code blockTraversal
= false}</li>
* </ul>
*
- * @see <a
href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/firewall/StrictHttpFirewall.html";>
Review Comment:
Why was this comment changed? I see this link is still valid. If this class
is no longer inspired by `StrictHttpFirewall`, perhaps the whole comment should
be removed?
##########
web/src/test/groovy/org/apache/shiro/web/filter/InvalidRequestFilterTest.groovy:
##########
@@ -63,6 +61,7 @@ class InvalidRequestFilterTest {
}
}
+
Review Comment:
This line can be removed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
