-
-
Notifications
You must be signed in to change notification settings - Fork 489
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Special characters in the cookie causing 400 bad requests from Spring…
… Security. Fixes #8275
- Loading branch information
1 parent
a9a9b5b
commit 568c4d7
Showing
2 changed files
with
53 additions
and
0 deletions.
There are no files selected for viewing
47 changes: 47 additions & 0 deletions
47
core/src/main/java/org/fao/geonet/web/GeoNetworkStrictHttpFirewall.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| /* | ||
| * Copyright (C) 2001-2024 Food and Agriculture Organization of the | ||
| * United Nations (FAO-UN), United Nations World Food Programme (WFP) | ||
| * and United Nations Environment Programme (UNEP) | ||
| * | ||
| * This program is free software; you can redistribute it and/or modify | ||
| * it under the terms of the GNU General Public License as published by | ||
| * the Free Software Foundation; either version 2 of the License, or (at | ||
| * your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, but | ||
| * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
| * General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU General Public License | ||
| * along with this program; if not, write to the Free Software | ||
| * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA | ||
| * | ||
| * Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2, | ||
| * Rome - Italy. email: [email protected] | ||
| */ | ||
|
|
||
| package org.fao.geonet.web; | ||
|
|
||
| import org.springframework.security.web.firewall.StrictHttpFirewall; | ||
|
|
||
| import java.util.regex.Pattern; | ||
|
|
||
| import static java.nio.charset.StandardCharsets.ISO_8859_1; | ||
| import static java.nio.charset.StandardCharsets.UTF_8; | ||
|
|
||
| /** | ||
| * Spring Security HttpFirewall that allows parsing UTF8 header values. | ||
| */ | ||
| public class GeoNetworkStrictHttpFirewall extends StrictHttpFirewall { | ||
| private static final Pattern ALLOWED_HEADER_VALUE_PATTERN = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*"); | ||
|
|
||
| public GeoNetworkStrictHttpFirewall() { | ||
| super(); | ||
|
|
||
| this.setAllowedHeaderValues(header -> { | ||
| String parsed = new String(header.getBytes(ISO_8859_1), UTF_8); | ||
| return ALLOWED_HEADER_VALUE_PATTERN.matcher(parsed).matches(); | ||
| }); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters