From 568c4d723f79378a9dc9c3511464e1721cdabc76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jose=20Garc=C3=ADa?= <josegar74@gmail.com>
Date: Fri, 23 Aug 2024 08:58:35 +0200
Subject: [PATCH] Special characters in the cookie causing 400 bad requests
 from Spring Security. Fixes #8275

---
 .../web/GeoNetworkStrictHttpFirewall.java     | 47 +++++++++++++++++++
 .../config-security/config-security-core.xml  |  6 +++
 2 files changed, 53 insertions(+)
 create mode 100644 core/src/main/java/org/fao/geonet/web/GeoNetworkStrictHttpFirewall.java

diff --git a/core/src/main/java/org/fao/geonet/web/GeoNetworkStrictHttpFirewall.java b/core/src/main/java/org/fao/geonet/web/GeoNetworkStrictHttpFirewall.java
new file mode 100644
index 00000000000..cdf34c45f18
--- /dev/null
+++ b/core/src/main/java/org/fao/geonet/web/GeoNetworkStrictHttpFirewall.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2001-2024 Food and Agriculture Organization of the
+ * United Nations (FAO-UN), United Nations World Food Programme (WFP)
+ * and United Nations Environment Programme (UNEP)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2,
+ * Rome - Italy. email: geonetwork@osgeo.org
+ */
+
+package org.fao.geonet.web;
+
+import org.springframework.security.web.firewall.StrictHttpFirewall;
+
+import java.util.regex.Pattern;
+
+import static java.nio.charset.StandardCharsets.ISO_8859_1;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+/**
+ * Spring Security HttpFirewall that allows parsing UTF8 header values.
+ */
+public class GeoNetworkStrictHttpFirewall extends StrictHttpFirewall {
+    private static final Pattern ALLOWED_HEADER_VALUE_PATTERN = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*");
+
+    public GeoNetworkStrictHttpFirewall() {
+        super();
+
+        this.setAllowedHeaderValues(header -> {
+            String parsed = new String(header.getBytes(ISO_8859_1), UTF_8);
+            return ALLOWED_HEADER_VALUE_PATTERN.matcher(parsed).matches();
+        });
+    }
+}
diff --git a/web/src/main/webapp/WEB-INF/config-security/config-security-core.xml b/web/src/main/webapp/WEB-INF/config-security/config-security-core.xml
index f83fa3e0bc9..c769833cefa 100644
--- a/web/src/main/webapp/WEB-INF/config-security/config-security-core.xml
+++ b/web/src/main/webapp/WEB-INF/config-security/config-security-core.xml
@@ -65,8 +65,14 @@
         <ref bean="coreFilterChain"/>
       </list>
     </constructor-arg>
+
+    <property name="firewall" ref="httpFirewall"/>
   </bean>
 
+  <!-- HttpFirewall that parses UTF8 header values -->
+  <bean id="httpFirewall"
+         class="org.fao.geonet.web.GeoNetworkStrictHttpFirewall">
+  </bean>
 
   <bean id="coreFilterChain"
         class="org.springframework.security.web.DefaultSecurityFilterChain">