[SHIRO-766] ignore exception on invalid cookies.

bmarwell · bmarwell · commit fdddd7cb982d · 2020-05-05T16:12:17.000+02:00
diff --git a/web/src/main/java/org/apache/shiro/web/mgt/CookieRememberMeManager.java b/web/src/main/java/org/apache/shiro/web/mgt/CookieRememberMeManager.java
@@ -212,9 +212,21 @@ protected byte[] getRememberedSerializedIdentity(SubjectContext subjectContext)
             if (log.isTraceEnabled()) {
                 log.trace("Acquired Base64 encoded identity [" + base64 + "]");
             }
-            byte[] decoded = Base64.decode(base64);
+            byte[] decoded;
+            try {
+                decoded = Base64.decode(base64);
+            } catch (RuntimeException rtEx) {
+                /*
+                 * https://issues.apache.org/jira/browse/SHIRO-766:
+                 * If the base64 string cannot be decoded, just assume there is no valid cookie value.
+                 * */
+                getCookie().removeFrom(request, response);
+                log.warn("Unable to decode existing base64 encoded entity: [" + base64 + "].", rtEx);
+                return null;
+            }
+
             if (log.isTraceEnabled()) {
-                log.trace("Base64 decoded byte array length: " + (decoded != null ? decoded.length : 0) + " bytes.");
+                log.trace("Base64 decoded byte array length: " + decoded.length + " bytes.");
             }
             return decoded;
         } else {
diff --git a/web/src/test/java/org/apache/shiro/web/mgt/CookieRememberMeManagerTest.java b/web/src/test/java/org/apache/shiro/web/mgt/CookieRememberMeManagerTest.java
@@ -35,6 +35,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import java.util.UUID;
+
 import static org.easymock.EasyMock.*;
 import static org.junit.Assert.*;
 
@@ -244,4 +246,30 @@ public void onLogout() {
         verify(mockResponse);
         verify(cookie);
     }
+
+    @Test
+    public void shouldIgnoreInvalidCookieValues() {
+        // given
+        HttpServletRequest mockRequest = createMock(HttpServletRequest.class);
+        HttpServletResponse mockResponse = createMock(HttpServletResponse.class);
+        WebSubjectContext context = new DefaultWebSubjectContext();
+        context.setServletRequest(mockRequest);
+        context.setServletResponse(mockResponse);
+
+        CookieRememberMeManager mgr = new CookieRememberMeManager();
+        Cookie[] cookies = new Cookie[]{
+                new Cookie(CookieRememberMeManager.DEFAULT_REMEMBER_ME_COOKIE_NAME, UUID.randomUUID().toString() + "%%ldapRealm")
+        };
+
+        expect(mockRequest.getAttribute(ShiroHttpServletRequest.IDENTITY_REMOVED_KEY)).andReturn(null);
+        expect(mockRequest.getContextPath()).andReturn(null);
+        expect(mockRequest.getCookies()).andReturn(cookies);
+        replay(mockRequest);
+
+        // when
+        final byte[] rememberedSerializedIdentity = mgr.getRememberedSerializedIdentity(context);
+
+        // then
+        assertNull("should ignore invalid cookie values", rememberedSerializedIdentity);
+    }
 }
