Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Darius Bohni opened SPR-11591 and commented
There is an security issue on line 843/844. An attacker can manipulate the log via malicious request.
The method doService extracts the URI from the request and uses it unvalidated.
logger.debug("DispatcherServlet with name '" + getServletName() + "'" + resumed +
" processing " + request.getMethod() + " request for [" + requestUri + "]");
An attacker can forge the log by sending a request containing %0D%0A
The log will looks like:
08:34:50.145 [http-bio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcher' processing GET request for [/app/home
Affects: 3.2.8, 4.0.2
Referenced from: commits a2bdc28, 465ca24
Backported to: 3.2.9
The text was updated successfully, but these errors were encountered:
Juergen Hoeller commented
Good catch! For logging purposes in DispatcherServlet, we're using the encoded request URI as returned from HttpServletRequest.getRequestURI() now instead of UrlPathHelper's decoded one.
That said, since this is about debug logging only - which is never to be activated in a production system - the practical impact should be limited.
Sorry, something went wrong.
No branches or pull requests