Skip to content

Customized HttpFirewall to allow // is not applied at StrictHttpFirewall #5450

New issue
New issue
Closed
Closed
Customized HttpFirewall to allow // is not applied at StrictHttpFirewall#5450
@zoosm3

Description

@zoosm3
zoosm3
opened on Jun 20, 2018

Summary

CustomizedHttpFirewall to allow // in URI is not considered at StrictHttpFirewall#getFirewalledRequest.

Actual Behavior

We customize HttpFirewall at our own SpringSecurityConfig to allow double-slash in requested URL e.g. http://localhost:8080//dummy/err, but RequestRejectedException is thrown.

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL was not normalized.
	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:248) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.16.jar:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.16.jar:8.5.16]

As far as I see StrictHttpFirewall#getFirewalledRequest, it seems to check if URL is normalized regardless allowBackSlash is true or not.

Expected Behavior

When URL contains // is requested, 200 and successful response is expected

Configuration

We add the following configuration to our own SpringMvcConfig like this to override HttpFirewall to allow double-slash.

    @Bean
    public HttpFirewall looseHttpFirewall() {
        StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowSemicolon(true);
        firewall.setAllowUrlEncodedPercent(true);
        firewall.setAllowUrlEncodedSlash(true);
        firewall.setAllowUrlEncodedPeriod(true);
        firewall.setAllowBackSlash(true);
        return firewall;
    }

Version

From Spring Security 5.0.2 to 5.0.6

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions