Skip to content

Disable SpEL selector support in WebSocket messaging by default #30550

New issue
New issue
Closed
Closed
Disable SpEL selector support in WebSocket messaging by default#30550
Assignees
sbrannen
Labels
in: webIssues in web modules (web, webmvc, webflux, websocket)type: enhancementA general enhancement
Milestone
6.1.0-M1
@sbrannen

Description

@sbrannen
sbrannen
opened on May 25, 2023

Overview

In an effort to reduce the potential for security vulnerabilities in SpEL to adversely affect Spring applications, the team has decided to disable support for evaluating SpEL expressions from untrusted sources by default.

Within the core Spring Framework, this applies to the SpEL-based selector header support in WebSocket messaging, specifically in the DefaultSubscriptionRegistry.

The selector header support will remain in place but will have to be explicitly enabled beginning with Spring Framework 6.1.

We will also investigate alternative approaches to the selector header feature that do not involve SpEL, and we may later decide to deprecate the SpEL-based selector header support in favor of such an alternative.

Deliverables

  • Disable SpEL selector support in DefaultSubscriptionRegistry by default.

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions