[ https://issues.apache.org/jira/browse/SHIRO-682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16978446#comment-16978446 ]
Francois Papon edited comment on SHIRO-682 at 11/20/19 2:02 PM: ---------------------------------------------------------------- Merged and included in the next 1.5.0 release. was (Author: fpapon): Merge and included in the next 1.5.0 release. > fix the potential threat when use "uri = uri + '/' " to bypassed shiro protect > ------------------------------------------------------------------------------ > > Key: SHIRO-682 > URL: https://issues.apache.org/jira/browse/SHIRO-682 > Project: Shiro > Issue Type: Bug > Components: Web > Affects Versions: 1.3.2 > Reporter: tomsun28 > Assignee: Francois Papon > Priority: Major > Labels: security > Fix For: 1.5.0 > > Time Spent: 4h 10m > Remaining Estimate: 0h > > hi, the potential threat found when use shiro filter. > in spring web, the {{requestURI :}} {{/resource/menus}} and > {{resource/menus/}} both can access the resource, > but the {{pathPattern}} match {{/resource/menus}} can not match > {{resource/menus/}} > user can use {{requestURI}} + {{"/"}} to simply bypassed chain filter, to > bypassed shiro protect > [PR #127|[https://github.com/apache/shiro/pull/127]] > :) -- This message was sent by Atlassian Jira (v8.3.4#803005)