Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL rewrite with data-th-src attribute appends jsession with a semi-colon, triggers spring security #684

Closed
g3ek opened this issue Apr 24, 2018 · 2 comments
Closed

URL rewrite with data-th-src attribute appends jsession with a semi-colon, triggers spring security #684

g3ek opened this issue Apr 24, 2018 · 2 comments
Assignees
@danielfernandez
Labels
status:answered tracker:question
Milestone
Thymeleaf 3.0

Comments

@g3ek
Copy link

g3ek commented Apr 24, 2018

Hello,

We lately get a lot of errors in our logs from the spring security firewall which was changed to a stricter version:
https://spring.io/blog/2018/01/30/cve-2018-1199-spring-security-5-0-1-4-2-4-4-1-5-released

We use the data-th-src attribute like this:
<script src="/js/ours.js" data-th-src="@{/js/ours.js?v='+${application.version}}"></script>

The error we get from spring firewall:
The request was rejected because the URL contained a potentially malicious String ";"

URL:
/js/ours.js;jsessionid=EE4E97D412B0487F34AAD17A522E2351?v=1.0

Thymeleaf version: v3.0.9 RELEASE
Spring security version: v4.2.4 RELEASE
Spring: v4.3.14 RELEASE
@danielfernandez danielfernandez self-assigned this Apr 24, 2018
@danielfernandez danielfernandez added this to the Thymeleaf 3.0 milestone Apr 24, 2018
@danielfernandez
Copy link
Member

The addition of the ;jsessionid=... path parameter is a normal and (usually) desirable part of the standard URL Rewriting mechanism in Java web applications. The idea is that, when an application has already expressed its need to create a user Session, the ID for such user session has to be passed along to the browser somehow. And until the browser demonstrates that it has the capability of using (and permission to use) cookies by means of an HTTP header in the following request after receiving that jsessionid, the ;jsessionid=... path parameter is how this is done in most Java Servlet-based web servers like e.g. Tomcat.

As for the reasons this is warned by Spring Security, well, I'm not sure why the jsessionid, being a standard, is not dealt with in a specific fashion, but I guess if this was intentional you'll have to configure your application at the Tomcat context level to disable URL rewriting. Note that Thymeleaf does not add this path parameter explicitly, it only asks the Servlet API "hey response, rewrite this URL if needed", and then an implementation for URL rewriting provided by Tomcat, Spring, or else, is executed.

@g3ek g3ek mentioned this issue May 3, 2018
Closed
@dengGQ
Copy link

dengGQ commented Jan 13, 2020
edited

hello, I think I have a similar proble.My English is not very good. Please read the error log below:
Caused by: java.io.FileNotFoundException: Could not open ServletContext resource [/WEB- INF/views/common/head;jsessionid=2C3A05E1E2DA86C5A86BE309BBD31AA3.html] at org.springframework.web.context.support.ServletContextResource.getInputStream(ServletContextResource.java:141) at org.thymeleaf.spring4.templateresource.SpringResourceTemplateResource.reader(SpringResourceTemplateResource.java:103) at org.thymeleaf.templateparser.markup.AbstractMarkupTemplateParser.parse(AbstractMarkupTemplateParser.java:223)

My themleaf template code:
<div th:replace="@{common/head}::head"></div>

@bertrandbo bertrandbo mentioned this issue Oct 22, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielfernandez danielfernandez

Labels
status:answered tracker:question
Projects
None yet
Milestone
Thymeleaf 3.0
Development

No branches or pull requests
3 participants
@g3ek @danielfernandez @dengGQ