-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
[#1025] - Shiro's InvalidRequestFilter blocks valid paths with encoded slashes #1026
base: main
Are you sure you want to change the base?
Conversation
Default is NORMAL, which only blocks actual paths. STRICT also blocks encoded slashes ('/') and periods ('.'). NO_BLOCK disables.
Thanks for the PR @haster! (and sorry for the delay with the response) I can see the desire to make this more flexible, but we need to make sure we retain backwards compatibility with the current versions of Shiro. I think the default value should be what you have defined as Possibly enum values of /**
*
* @deprecated Use {@link #getBlockTraversal()}
*/
@Deprecated
public boolean isBlockTraversal() {
// we could even add a log warning here 🤷
return this.pathTraversalBlockMode != DISABLED;
} Thoughts / suggestions? (other ideas for the term |
Are there any updates on this issue? |
There are still issues with this PR that remain unresolved, and it seems the author has abandoned it. |
fixes #1025
Adds a 3-valued enum for path-traversal-blockmode. Default is NORMAL, which only blocks actual paths. STRICT also blocks encoded slashes ('/') and periods ('.'). NO_BLOCK disables.
This enables a mode to block actual path traversal while still allowing for encoded URLs and such to be present as path parameter.
Following this checklist to help us incorporate your contribution quickly and easily:
for the change (usually before you start working on it). Trivial changes like typos do not
require a GitHub issue. Your pull request should address just this issue, without pulling in other changes.
[#XXX] - Fixes bug in SessionManager
,where you replace
#XXX
with the appropriate GitHub issue. Best practiceis to use the GitHub issue title in the pull request title and in the first line of the commit message.
fixes #XXX
if merging the PR should close a related issue.mvn verify
to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.git rebase -i
.Trivial changes like typos do not require a GitHub issue (javadoc, comments...).
In this case, just format the pull request title like
[DOC] - Add javadoc in SessionManager
.If this is your first contribution, you have to read the Contribution Guidelines
If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.
To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.