漏洞描述
-
影响范围 -
org.apache.shiro:shiro-web@[1.0.0-incubating, 1.11.0) -
shiro@影响所有版本
-
相关分析
2.1 AntPathMatcher跟PathPattern
根据对应漏洞的描述,先简单看看Spring MVC两个处理请求的路径匹配模式:
AntPathMatcher&PathPatternParser
(根据官方文档的描述:Parser for URI path patterns producing PathPattern instances that can then be matched to requests.所以实际上需要关注的是PathPattern)。
-
在 2.6之前,默认使用的是 AntPathMatcher(具体配置在 org.springframework.boot.autoconfigure.web.servlet.WebMvcProperties.Pathmatch),查看具体的代码:
-
2.6.0及之后就变成了PathPattern了,具体代码如下
2.1.1 AntPathMatcher
? | 匹配任意单字符 |
|
|
|
|
|
|
2.1.2 PathPattern
-
? matches one character -
* matches zero or more characters within a path segment -
** matches zero or more path segments until the end of the path -
{spring} matches a path segment and captures it as a variable named "spring" -
{spring:[a-z]+} matches the regexp [a-z]+ as a path variable named "spring" -
{*spring} matches zero or more path segments until the end of the path and captures it as a variable named "spring"
@GetMapping("/admin/{*path}")public String adminBypass(@PathVariable String path) { System.out.println(path); return "admin"+path;}
变量path获取的内容为/path:
2.1.3 两者的区别
-
PathPattern通配符只能定义在尾部,而AntPathMatcher可以在中间:
-
AntPathMatcher默认使用/作为分隔符。也可以根据实际情况自行指定分隔符(例如windows是,Linux是/,包名是.),这点从其构造器可以看出:
复现过程
@BeanShiroFilterFactoryBean shiroFilterFactoryBean(){ ShiroFilterConfiguration shiroFilterConfiguration = new ShiroFilterConfiguration(); shiroFilterConfiguration.setStaticSecurityManagerEnabled(true); ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); bean.setShiroFilterConfiguration(shiroFilterConfiguration); bean.setSecurityManager(securityManager()); bean.setLoginUrl("/login"); bean.setSuccessUrl("/index"); bean.setUnauthorizedUrl("/unauthorizedurl"); Map<String, String> map = new LinkedHashMap<>(); map.put("/doLogin", "anon"); map.put("/admin/*", "authc"); bean.setFilterChainDefinitionMap(map); return bean;}
@GetMapping("/admin/page")public String admin() { return "admin page";} @GetMapping("/admin/{*path}")public String adminBypass(@PathVariable String path) { System.out.println(path); return "admin Bypass page";}
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring-boot-web-starter</artifactId> <version>1.11.0</version></dependency>
修复建议
spring.mvc.pathmatch.matching-strategy = ant_path_matcher
原文始发于微信公众号(SecIN技术平台):原创 | 浅谈Apache Shiro CVE-2023-22602
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论