[
https://issues.apache.org/jira/browse/SHIRO-682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16978446#comment-16978446
]
Francois Papon edited comment on SHIRO-682 at 11/20/19 2:02 PM:
----------------------------------------------------------------
Merged and included in the next 1.5.0 release.
was (Author: fpapon):
Merge and included in the next 1.5.0 release.
> fix the potential threat when use "uri = uri + '/' " to bypassed shiro protect
> ------------------------------------------------------------------------------
>
> Key: SHIRO-682
> URL: https://issues.apache.org/jira/browse/SHIRO-682
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Affects Versions: 1.3.2
> Reporter: tomsun28
> Assignee: Francois Papon
> Priority: Major
> Labels: security
> Fix For: 1.5.0
>
> Time Spent: 4h 10m
> Remaining Estimate: 0h
>
> hi, the potential threat found when use shiro filter.
> in spring web, the {{requestURI :}} {{/resource/menus}} and
> {{resource/menus/}} both can access the resource,
> but the {{pathPattern}} match {{/resource/menus}} can not match
> {{resource/menus/}}
> user can use {{requestURI}} + {{"/"}} to simply bypassed chain filter, to
> bypassed shiro protect
> [PR #127|[https://github.com/apache/shiro/pull/127]]
> :)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
