Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StrictHttpFirewall#setAllowedHeaderNames should augment with existing Predicate #13639

Open
gourav opened this issue Aug 9, 2023 · 2 comments · May be fixed by #15048
Open

StrictHttpFirewall#setAllowedHeaderNames should augment with existing Predicate #13639

gourav opened this issue Aug 9, 2023 · 2 comments · May be fixed by #15048
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Comments

@gourav
Copy link
Contributor

gourav commented Aug 9, 2023

Expected Behavior
StrictHttpFirewall#setAllowedHeaderNames either should augment the existing predicate with Predicate#and or provide addAllowHeaderNames to allow augmenting it to current predicate, so that I get to retain default protection provided by StrictHttpFirewall.

Current Behavior
The current implementation rejects any Request with non-ascii characters. Current implementation of StrictHttpFirewall#setAllowedHeaderNames replaces predicate, making me lose out to default protection.

I am willing to provide a PR for this should this be accepted as valid request.
@gourav gourav added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Aug 9, 2023
@jzheaux
Copy link
Contributor

jzheaux commented Nov 6, 2023

Thanks for the suggestion, @gourav. To leave setAllowedHeaderNames passive, I prefer your second suggestion to add addAllowHeaderNames.

Can you add the same for header values, parameter names, and parameter values?

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 6, 2023
@gourav
Copy link
Contributor Author

gourav commented Nov 7, 2023

Sure. Let me come up with changes for review.

@baezzys baezzys linked a pull request May 12, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add methods to augment allowed headers and parameters in StrictHttpFi… baezzys/spring-security
2 participants
@jzheaux @gourav