From 8cafeefc74fbf5863943f7f4f3d2d9257be8edfb Mon Sep 17 00:00:00 2001
From: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Date: Wed, 2 Aug 2023 15:27:09 +0200
Subject: [PATCH] Deactivate shiro's `blockTraversal` filter Because it breaks
 our branch encodings

Committed-by: Florian Scholdei <florian.scholdei@cloudogu.com>
---
 gradle/changelog/shiro_traversal_filter.yaml                    | 2 ++
 .../java/sonia/scm/lifecycle/modules/ScmSecurityModule.java     | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 gradle/changelog/shiro_traversal_filter.yaml

diff --git a/gradle/changelog/shiro_traversal_filter.yaml b/gradle/changelog/shiro_traversal_filter.yaml
new file mode 100644
index 0000000000..60478c72f7
--- /dev/null
+++ b/gradle/changelog/shiro_traversal_filter.yaml
@@ -0,0 +1,2 @@
+- type: fixed
+  description: Deactivate Shiro's new `blockTraversal` check in their `InvalidRequestFilter`
diff --git a/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java b/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java
index c0fa215a4a..93629fca6f 100644
--- a/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java
+++ b/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java
@@ -121,6 +121,7 @@ public class ScmSecurityModule extends ShiroWebModule
     // do not block non ascii character,
     // because this would exclude languages which are non ascii based
     bindConstant().annotatedWith(Names.named("shiro.blockNonAscii")).to(false);
+    bindConstant().annotatedWith(Names.named("shiro.blockTraversal")).to(false);
 
     // disable access to mustache resources
     addFilterChain("/**.mustache", filterConfig(ROLES, "nobody"));