Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Special characters in the cookie causing 400 bad requests from Spring Security #8275

Closed
xiechangning20 opened this issue Jul 23, 2024 · 0 comments
Closed

Special characters in the cookie causing 400 bad requests from Spring Security #8275

xiechangning20 opened this issue Jul 23, 2024 · 0 comments

Comments

@xiechangning20
Copy link

Describe the bug
Special characters in the cookie causing 400 bad requests from Spring Security Http Fire wall

To Reproduce
Steps to reproduce the behavior locally:

  1. Go to home page, for instance:
    http://localhost:8080/catalogue/srv/eng/catalog.search
  2. Go to the application tab in the browser and add a cookie with special characters, such as , , , 😀
  3. Refresh the page
  4. Will see 400 the described bad request error in UI

Expected behavior
Support special characters in the cookie

Screenshots
image

Log file
Error Message from Spring
Message Cannot build ServiceRequest Cause : The request was rejected because the header value "XSRF-TOKEN=4e62422e-0856-4b71-9dd6-ac8c8c5ce378; JSESSIONID=419CAE53ADA85118DC471FA40C563195; serverTime=1721755840263; sessionExpiry=1721755840263; test=�" is not allowed. Error : org.springframework.security.web.firewall.RequestRejectedException

Desktop (please complete the following information):

  • Browser
    Edge
  • GeoNetwork Version
    4.2.9
  • Server Application
    Tomcat 9.0.87 with Java 8

Additional context
Likely caused by Spring mis-interpreted the cookie value as ISO-8859-1 (Latin1) instead of UTF-8. Which can be fixed by configuring the following:
image
https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html
josegar74 added a commit to GeoCat/core-geonetwork that referenced this issue Aug 23, 2024
@josegar74
Special characters in the cookie causing 400 bad requests from Spring…
98ff376 
… Security. Fixes geonetwork#8275
@josegar74 josegar74 mentioned this issue Aug 23, 2024
Merged
10 tasks
geonetworkbuild pushed a commit that referenced this issue Sep 2, 2024
@josegar74 @github-actions
Special characters in the cookie causing 400 bad requests from Spring…
9deca72 
… Security. Fixes #8275
josegar74 added a commit that referenced this issue Sep 9, 2024
@geonetworkbuild @josegar74
Special characters in the cookie causing 400 bad requests from Spring…
e352035 
… Security. Fixes #8275 (#8327)

Co-authored-by: Jose García <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xiechangning20