New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security-related HTTP headers not written if response is committed during INCLUDE dispatch #5499
Comments
I'm have the same problem, but I've diagnosed it a little differently. In my case, by the time the header writing is attempted during the processing of the include file, the HttpResponse is wrapped with org.apache.catalina.core.ApplicationHttpResponse with the "included" attribute set to true. With the included field set to true, all of the headers that get emitted are suppressed. However, as expected, the response is committed. So, when the processing gets back to the header filter, the response has been committed, so again headers are suppressed. The net result is that no headers get emitted. |
I think we can resolve this using an OnComittedRequestWrapper which triggers the headers to be written before an attempt to include content happens. |
HeaderWriterFilter wraps request dispatcher so it can write security headers before the include occurs. Fixes: spring-projectsgh-5499
HeaderWriterFilter wraps request dispatcher so it can write security headers before the include occurs. Fixes: gh-5499
HeaderWriterFilter wraps request dispatcher so it can write security headers before the include occurs. Fixes: gh-5499
HeaderWriterFilter wraps request dispatcher so it can write security headers before the include occurs. Fixes: gh-5499
Summary
HeaderWriterFilter
does not write HTTP headers if the response is committed inside aDispatcherType.INCLUDE
request dispatch.This means that critical headers might be missing in the response, introducing a potential security risk.
Actual Behavior
According to the servlet specification, response HTTP headers cannot be set during an INCLUDE dispatch, e.g. in an included JSP:
So if the response is committed during a include that produced a lot of output to the response body, the
HeaderWriterFilter
calls the response methods that would normally set the HTTP headers, but those calls are ignored by the servlet container.At least Tomcat 8.5.x adheres to the servlet specification an does not write the headers to the response.
Expected Behavior
The headers are always written to the response, even if the response is committed during an include.
Configuration
Version
5.0.6.RELEASE
Sample
spring-security-gh5499.zip
Attached is a Zip file containing a simple Spring Boot application. Simply run the
de.chschu.spring.security.gh5499.Application
main class.The response of http://localhost:8080/positive will have the headers, while http://localhost:8080/negative (which simply includes the other one) will not.
The text was updated successfully, but these errors were encountered: