影响版本shiro<1.6.0,造成漏洞原因是spring与shiro对URI处理相异,这个CVE实际上是对CVE-2020-11980的补充绕过
路由
@RequestMapping("/unauthorize/{abc}")
@ResponseBody
public String UnAuthorize(@PathVariable("abc") String abc){
return abc;
}shiro配置
filterMap.put("/unauthorize/*","authc");多说一点为什么造成差异就能绕过,其实是因为上面的鉴权无法匹配/unauthorize
对shiro来说处理在org.apache.shiro.web.util.WebUtils#getPathWithinApplication
public static String getPathWithinApplication(HttpServletRequest request) {
return normalize(removeSemicolon(getServletPath(request) + getPathInfo(request)));
}之前在org.apache.catalina.connector.CoyoteAdapter#postParseRequest当中提过,这里会将做url解码,
这就导致在shiro当中/unauthorize/%3bbypass=>最终被处理为/unauthorize/绕过鉴权
而在spring当中org.springframework.web.util.UrlPathHelper#decodeAndCleanUriString
这里流程是先去除;再解码,因此出现了问题
private String decodeAndCleanUriString(HttpServletRequest request, String uri) {
uri = this.removeSemicolonContent(uri);
uri = this.decodeRequestString(request, uri);
uri = this.getSanitizedPath(uri);
return uri;
}这个漏洞很简单挖到这个的师傅也确实强