Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-906

URIs like "/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf" are blocked

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0
    • None
    • Web
    • None

    Description

      When a user uploads a PDF document to this URI:

      https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbest%C3%A4tigung%2018103101.pdf

      which is the url-encoded form of

      "https://ronny.scsynergy.local/Dms/rest/webdav/_/64490232f825dc0b48b7f48e/Auftragsbestätigung 18103101.pdf"

      an HTTP 400 response is generated by Shiro with this as the body:
      <html>

      <head>
      <title>Error</title>
      </head>

      <body>Invalid request</body>

      </html>
       
      With Shiro version 1.6.0 the upload worked. Digging through Shiro's code I found
      org.apache.shiro.web.filter.InvalidRequestFilter line 67:

      return !StringUtils.hasText(uri)

      which means that a URI which is null or has zero length or consists only of whitespace should be considered a valid URI. I am pretty sure this is not what the author intended and that the "!" just needs to be removed to fix this bug.

      Attachments

        Activity

          People

            Unassigned Unassigned
            scsynergy Ronald Feicht
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: