Merge pull request #225 from bmhm/SHIRO-766

[SHIRO-766] ignore exception on invalid cookies.
apache · May 6, 2020 · 8b061f7 · 8b061f7
2 parents 47dd4c1 + fdddd7c
commit 8b061f7
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 2 deletions.
diff --git a/web/src/main/java/org/apache/shiro/web/mgt/CookieRememberMeManager.java b/web/src/main/java/org/apache/shiro/web/mgt/CookieRememberMeManager.java
@@ -212,9 +212,21 @@ protected byte[] getRememberedSerializedIdentity(SubjectContext subjectContext)
             if (log.isTraceEnabled()) {
                 log.trace("Acquired Base64 encoded identity [" + base64 + "]");
             }
-            byte[] decoded = Base64.decode(base64);
+            byte[] decoded;
+            try {
+                decoded = Base64.decode(base64);
+            } catch (RuntimeException rtEx) {
+                /*
+                 * https://issues.apache.org/jira/browse/SHIRO-766:
+                 * If the base64 string cannot be decoded, just assume there is no valid cookie value.
+                 * */
+                getCookie().removeFrom(request, response);
+                log.warn("Unable to decode existing base64 encoded entity: [" + base64 + "].", rtEx);
+                return null;
+            }
+
             if (log.isTraceEnabled()) {
-                log.trace("Base64 decoded byte array length: " + (decoded != null ? decoded.length : 0) + " bytes.");
+                log.trace("Base64 decoded byte array length: " + decoded.length + " bytes.");
             }
             return decoded;
         } else {

diff --git a/web/src/test/java/org/apache/shiro/web/mgt/CookieRememberMeManagerTest.java b/web/src/test/java/org/apache/shiro/web/mgt/CookieRememberMeManagerTest.java
@@ -35,6 +35,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import java.util.UUID;
+
 import static org.easymock.EasyMock.*;
 import static org.junit.Assert.*;
 
@@ -244,4 +246,30 @@ public void onLogout() {
         verify(mockResponse);
         verify(cookie);
     }
+
+    @Test
+    public void shouldIgnoreInvalidCookieValues() {
+        // given
+        HttpServletRequest mockRequest = createMock(HttpServletRequest.class);
+        HttpServletResponse mockResponse = createMock(HttpServletResponse.class);
+        WebSubjectContext context = new DefaultWebSubjectContext();
+        context.setServletRequest(mockRequest);
+        context.setServletResponse(mockResponse);
+
+        CookieRememberMeManager mgr = new CookieRememberMeManager();
+        Cookie[] cookies = new Cookie[]{
+                new Cookie(CookieRememberMeManager.DEFAULT_REMEMBER_ME_COOKIE_NAME, UUID.randomUUID().toString() + "%%ldapRealm")
+        };
+
+        expect(mockRequest.getAttribute(ShiroHttpServletRequest.IDENTITY_REMOVED_KEY)).andReturn(null);
+        expect(mockRequest.getContextPath()).andReturn(null);
+        expect(mockRequest.getCookies()).andReturn(cookies);
+        replay(mockRequest);
+
+        // when
+        final byte[] rememberedSerializedIdentity = mgr.getRememberedSerializedIdentity(context);
+
+        // then
+        assertNull("should ignore invalid cookie values", rememberedSerializedIdentity);
+    }
 }