Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1802: RFC 1738 / 3986 compliant schemes will not be recognized as valid schemes. #2032

spring-issuemaster opened this Issue Aug 23, 2011 · 1 comment


None yet
1 participant

Enrico Kufahl (Migrated from SEC-1802) said:

org.springframework.security.web.util.UrlUtils.isAbsoluteUrl(String) checks whether the given URL is absolute. It will be done by checking the URL is starting with a valid scheme. But some valid schemes (RFC 1738 / 3986) will not be accepted (e.g. http1). In general all schemes containing digits will be rejected.

Luke Taylor said:

Added digits to regex for matching the URL scheme.

@spring-issuemaster spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment