[SHIRO-678] only query parameters for sessionID if found

- getParameters() will also parse the body, which in turn decodes the content. avoid calling this method unless we know the sessionID can be in the query part. - getQueryString() can return null. - refactor out one level of nesting
apache · Aug 18, 2021 · b298f71 · b298f71
1 parent 4ed0c80
commit b298f71
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
@@ -130,11 +130,15 @@ private Serializable getReferencedSessionId(ServletRequest request, ServletRespo
             //try the URI path segment parameters first:
             id = getUriPathSegmentParamValue(request, ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
 
-            if (id == null) {
+            if (id == null && request instanceof HttpServletRequest) {
                 //not a URI path segment parameter, try the query parameters:
                 String name = getSessionIdName();
-                id = request.getParameter(name);
-                if (id == null) {
+                HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
+                String queryString = httpServletRequest.getQueryString();
+                if (queryString != null && queryString.contains(name)) {
+                    id = request.getParameter(name);
+                }
+                if (id == null && queryString != null && queryString.contains(name.toLowerCase())) {
                     //try lowercase:
                     id = request.getParameter(name.toLowerCase());
                 }

diff --git a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
@@ -158,6 +158,7 @@ public class DefaultWebSessionManagerTest {
 
         expect(cookie.getName()).andReturn(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
         expect(request.getRequestURI()).andReturn("/foo/bar?JSESSIONID=$id" as String)
+        expect(request.getQueryString()).andReturn("JSESSIONID=$id" as String)
         expect(request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME)).andReturn(id);
         request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
                 ShiroHttpServletRequest.URL_SESSION_ID_SOURCE);
@@ -193,8 +194,8 @@ public class DefaultWebSessionManagerTest {
         String id = "12345";
 
         expect(cookie.getName()).andReturn(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
-        expect(request.getRequestURI()).andReturn("/foo/bar?JSESSIONID=$id" as String)
-        expect(request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME)).andReturn(null);
+        expect(request.getRequestURI()).andReturn("/foo/bar?jsessionid=$id" as String)
+        expect(request.getQueryString()).andReturn("jsessionid=$id" as String)
         expect(request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME.toLowerCase())).andReturn(id);
         request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
                 ShiroHttpServletRequest.URL_SESSION_ID_SOURCE);