shiro-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bdem...@apache.org
Subject shiro git commit: SHIRO-570: Only accept a cookie value when the request uses the proper path.
Date Thu, 07 Jul 2016 16:07:15 GMT
Repository: shiro
Updated Branches:
  refs/heads/1.3.x 6684e8694 -> e3b899939


SHIRO-570: Only accept a cookie value when the request uses the proper path.

Fixes #23, SHIRO-570


Project: http://git-wip-us.apache.org/repos/asf/shiro/repo
Commit: http://git-wip-us.apache.org/repos/asf/shiro/commit/e3b89993
Tree: http://git-wip-us.apache.org/repos/asf/shiro/tree/e3b89993
Diff: http://git-wip-us.apache.org/repos/asf/shiro/diff/e3b89993

Branch: refs/heads/1.3.x
Commit: e3b899939d2db414a24f25c609891556ffb9e238
Parents: 6684e86
Author: Andreas Kohn <andreas.kohn@gmail.com>
Authored: Thu Mar 17 15:07:27 2016 +0100
Committer: Brian Demers <bdemers@apache.org>
Committed: Thu Jul 7 12:01:16 2016 -0400

----------------------------------------------------------------------
 .../apache/shiro/web/servlet/SimpleCookie.java  | 28 +++++++++++++++--
 .../shiro/web/servlet/SimpleCookieTest.java     | 33 ++++++++++++++++++++
 2 files changed, 59 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/shiro/blob/e3b89993/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
----------------------------------------------------------------------
diff --git a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
index 1f27e9b..c8d1420 100644
--- a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
+++ b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
@@ -329,6 +329,24 @@ public class SimpleCookie implements Cookie {
     }
 
     /**
+     * Check whether the given {@code cookiePath} matches the {@code requestPath}
+     *
+     * @param cookiePath
+     * @param requestPath
+     * @return
+     * @see <a href="https://tools.ietf.org/html/rfc6265#section-5.1.4">RFC 6265, Section
5.1.4 "Paths and Path-Match"</a>
+     */
+    private boolean pathMatches(String cookiePath, String requestPath) {
+        if (!requestPath.startsWith(cookiePath)) {
+            return false;
+        }
+
+        return requestPath.length() == cookiePath.length()
+            || cookiePath.charAt(cookiePath.length() - 1) == '/'
+            || requestPath.charAt(cookiePath.length()) == '/';
+    }
+
+    /**
      * Formats a date into a cookie date compatible string (Netscape's specification).
      *
      * @param date the date to format
@@ -362,8 +380,14 @@ public class SimpleCookie implements Cookie {
         String value = null;
         javax.servlet.http.Cookie cookie = getCookie(request, name);
         if (cookie != null) {
-            value = cookie.getValue();
-            log.debug("Found '{}' cookie value [{}]", name, value);
+            // Validate that the cookie is used at the correct place.
+            String path = StringUtils.clean(getPath());
+            if (path != null && !pathMatches(path, request.getRequestURI())) {
+                log.warn("Found '{}' cookie at path '{}', but should be only used for '{}'",
new Object[] { name, request.getRequestURI(), path});
+            } else {
+                value = cookie.getValue();
+                log.debug("Found '{}' cookie value [{}]", name, value);
+            }
         } else {
             log.trace("No '{}' cookie value", name);
         }

http://git-wip-us.apache.org/repos/asf/shiro/blob/e3b89993/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java
----------------------------------------------------------------------
diff --git a/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java b/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java
index 79d88e8..3a272aa 100644
--- a/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java
+++ b/web/src/test/java/org/apache/shiro/web/servlet/SimpleCookieTest.java
@@ -116,6 +116,39 @@ public class SimpleCookieTest extends TestCase {
         testRootContextPath(null);
     }
 
+    @Test
+    public void testReadValueInvalidPath() throws Exception {
+        expect(mockRequest.getRequestURI()).andStubReturn("/foo/index.jsp");
+        expect(mockRequest.getCookies()).andStubReturn(new javax.servlet.http.Cookie[] {
new javax.servlet.http.Cookie(this.cookie.getName(), "value") });
+        replay(mockRequest);
+        replay(mockResponse);
+
+        this.cookie.setPath("/bar/index.jsp");
+        assertEquals(null, this.cookie.readValue(mockRequest, mockResponse));
+    }
+
+    @Test
+    public void testReadValuePrefixPath() throws Exception {
+        expect(mockRequest.getRequestURI()).andStubReturn("/bar/index.jsp");
+        expect(mockRequest.getCookies()).andStubReturn(new javax.servlet.http.Cookie[] {
new javax.servlet.http.Cookie(this.cookie.getName(), "value") });
+        replay(mockRequest);
+        replay(mockResponse);
+
+        this.cookie.setPath("/bar");
+        assertEquals("value", this.cookie.readValue(mockRequest, mockResponse));
+    }
+
+    @Test
+    public void testReadValueInvalidPrefixPath() throws Exception {
+        expect(mockRequest.getRequestURI()).andStubReturn("/foobar/index.jsp");
+        expect(mockRequest.getCookies()).andStubReturn(new javax.servlet.http.Cookie[] {
new javax.servlet.http.Cookie(this.cookie.getName(), "value") });
+        replay(mockRequest);
+        replay(mockResponse);
+
+        this.cookie.setPath("/foo");
+        assertEquals(null, this.cookie.readValue(mockRequest, mockResponse));
+    }
+
     private static <T extends javax.servlet.http.Cookie> T eqCookie(final T in) {
         reportMatcher(new IArgumentMatcher() {
             public boolean matches(Object o) {


Mime
View raw message