-
Notifications
You must be signed in to change notification settings - Fork 37.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add advice on Spring MVC path matching for 5.3 and above to the reference documentation #26750
Comments
The Servlet API unfortunately does not specify precisely how the servletPath is to be normalized. This is why it's best to avoid reliance on the servletPath. For example if the Servlet is mapped to "/" then you can set Yet another option is to reject URLs that contain ";" if you don't expect them or duplicate slashes. The Spring Security firewall does that. |
I've set this to 5.3.6 in order to update the documentation with comprehensive advice on the topic. There have been a number of changes in 5.3 that should be summarized. |
Thanks |
I had noticed that in org.springframework.web.util.UrlPathHelper#decodeAndCleanUriString special url will be processed.
uri = removeSemicolonContent(uri); uri = decodeRequestString(request, uri); uri = getSanitizedPath(uri); return uri;
With this process, uri like /;/a/b/c will be changed to //a/b/c, and /;/a%2fb/c will be changed to //a/b/c.
This can be different in Filter(for example, jetty),which will confuse the developer. Sometime may cause security bug.
I'd like to ask, is the any specification like rfc, servlet specification, or anything else.
If any specification available, we can follow it .
Thanks!
The text was updated successfully, but these errors were encountered: