port patch for forbidden characters

apereo · Mar 4, 2020 · 2dcaf79 · 2dcaf79
1 parent 147815e
commit 2dcaf79
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/...main/java/org/apereo/cas/configuration/model/core/web/security/HttpRequestProperties.java b/...main/java/org/apereo/cas/configuration/model/core/web/security/HttpRequestProperties.java
@@ -29,6 +29,12 @@ public class HttpRequestProperties implements Serializable {
      */
     private boolean allowMultiValueParameters;
 
+    /**
+     * Characters to block in incoming requests.
+     * {@code none} is a special value. Separate characters by a space.
+     */
+    private String charactersToForbid = "none";
+
     /**
      * Parameters that are only allowed and accepted during posts.
      */

diff --git a/...cas-server-webapp-config/src/main/java/org/apereo/cas/config/CasFiltersConfiguration.java b/...cas-server-webapp-config/src/main/java/org/apereo/cas/config/CasFiltersConfiguration.java
@@ -134,16 +134,18 @@ public FilterRegistrationBean responseHeadersSecurityFilter() {
         bean.setName("responseHeadersSecurityFilter");
         bean.setAsyncSupported(true);
         return bean;
-
     }
 
     @RefreshScope
     @Bean
     public FilterRegistrationBean requestParameterSecurityFilter() {
         final Map<String, String> initParams = new HashMap<>();
-        initParams.put(RequestParameterPolicyEnforcementFilter.PARAMETERS_TO_CHECK,
-            casProperties.getHttpWebRequest().getParamsToCheck());
-        initParams.put(RequestParameterPolicyEnforcementFilter.CHARACTERS_TO_FORBID, "none");
+        if (StringUtils.isNotBlank(casProperties.getHttpWebRequest().getParamsToCheck())) {
+            initParams.put(RequestParameterPolicyEnforcementFilter.PARAMETERS_TO_CHECK,
+                casProperties.getHttpWebRequest().getParamsToCheck());
+        }
+        initParams.put(RequestParameterPolicyEnforcementFilter.CHARACTERS_TO_FORBID,
+            casProperties.getHttpWebRequest().getCharactersToForbid());
         initParams.put(RequestParameterPolicyEnforcementFilter.ALLOW_MULTI_VALUED_PARAMETERS,
             BooleanUtils.toStringTrueFalse(casProperties.getHttpWebRequest().isAllowMultiValueParameters()));
         initParams.put(RequestParameterPolicyEnforcementFilter.ONLY_POST_PARAMETERS,