StrictServerWebExchangeFirewall behavior in Spring-Security-Web 6.3.4 #16019
Assignees
Labels
Comments
kpolli
added
status: waiting-for-triage
|
It was fixed by adc66e and release in next verision 6.3.5 |
|
This is indeed a duplicate of #15974 which contains a workaround until the release. |
rwinch
added
status: duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
StrictServerWebExchangeFirewall should be overridable so that allowEncodedSlashes can be set.
Current Behavior
allowEncodedSlashes in StrictServerWebExchangeFirewall can not be set.
Context
I recently updated Spring Security Web to 6.3.4 and immediately noticed requests were failing with T
he request was rejected because the URL contained a potentially malicious String \"%2F\"This was previously working so I dug into the code and noticed the error being thrown in this line . Then looking up the call list, I see that StrictServerWebExchangeFirewall object is created in the WebFilterChainProxy class which means StrictServerWebExchangeFirewall is not a bean I can create a custom copy that allows me allowEncodedSlashes. The walk-around which I'm currently trying to get to work is create WebFilterChainProxy as a bean in the WebFluxSecurityConfiguration class.
I would have marked this a bug but I can't tell if Spring Security wants to stop supporting encoded slashes so downgraded to feature enhancement.
Thank you.
The text was updated successfully, but these errors were encountered: