关于Apche shiro权限Bypass漏洞,漏洞代码段
public static String getContextPath(HttpServletRequest request) {
String contextPath = (String) request.getAttribute(INCLUDE_CONTEXT_PATH_ATTRIBUTE);
if (contextPath == null) {
contextPath = request.getContextPath();
}
if ("/".equals(contextPath)) {
// Invalid case, but happens for includes on Jetty: silently adapt it.
contextPath = "";
}
return decodeRequestString(request, contextPath);
}
对于用户输入的路径,没有对编码字符进行过滤处理,通过
%2f
url编码绕过路径权限限制即可。