-
Notifications
You must be signed in to change notification settings - Fork 6.1k
spring-security-web is not consistence with % and ; #8705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Thanks for the report. This appears to be a duplicate of gh-5007 which was resolved via gh-7052. Starting in Spring Security 5.4 you will be able to configure the Can you confirm this is a duplicate? |
@rwinch Thank you for your response. I believe the one which you are talking about #5007 is only dealing with "//" or '\' |
Thanks for the response. What is the stacktrace you see when providing |
@rwinch Yes. I can customize the workflow and can do something to handle especially for |
Even after gh-7052 you need to customize the |
@rwinch That's the one I am explaining to you that we do not need to required to customize for And I think, the same way, spring-security should behave for |
Thanks for your response. Some containers attempt to perform normalization for certain characters. For example, it might convert Without a sample, I really cannot help you. The code always throws a I'm going to mark this as waiting for feedback again. If you need any further help, then I need a minimal and complete sample (i.e. link to a github repository that reproduces the issue) so I can reproduce/understand your problem. |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue. |
Uh oh!
There was an error while loading. Please reload this page.
Describe the bug
In the spring version: 5+ (5.1.9 spring-security-web) for
%
and;
To Reproduce
If I send input filed like for GET /Users/{name} -- Name of User = "User1;" or "User2%" we can see the following response with full stack trace information.
With this
//
,\
, or//
without any customization, spring-security by default responding with 400 response code with out any stack trace. Based on my investigation I found that with for"%"
and";"
has different workflows then other special chars like"//"
,"\"
etc . It is going through StrictHttpFirewall.rejectedBlacklistedUrls() which is a private method of part of the Spring-Security-web framework.Expected behavior
Same like
"//"
or'/'
other special character, for%
and;
Example
For

"//"
For

%
or;
The text was updated successfully, but these errors were encountered: