List of usage examples for org.springframework.security.web.firewall StrictHttpFirewall setAllowSemicolon
public void setAllowSemicolon(boolean allowSemicolon)
Determines if semicolon is allowed in the URL (i.e.
From source file:org.devgateway.toolkit.web.spring.WebSecurityConfig.java
@Bean public HttpFirewall allowUrlEncodedSlashHttpFirewall() { StrictHttpFirewall firewall = new StrictHttpFirewall(); firewall.setAllowUrlEncodedSlash(true); firewall.setAllowSemicolon(true); return firewall; }
From source file:org.pentaho.platform.plugin.services.security.userrole.SecuritySystemListener.java
/** * https://jira.pentaho.com/browse/BACKLOG-22526 * * StrictHttpFirewall was added and made the default HTTPFirewall for FilterChainProxy. As per its javadoc, it is meant * to block requests that contains one of the following characters in the URL: period, forward slash, backslash, semicolon, percentage * * StrictHttpFirewall was added to address 3 different CVEs: CVE-2016-5007, CVE-2016-9879, CVE-2018-1199 * * However, Pentaho's file/folder endpoint resources are passed as path params. And we do support file/folder names with the * aforementioned characters. In light of this, we are setting a more lenient HttpFirewall for FilterChainProxy * * @link https://github.com/spring-projects/spring-security/blob/4.1.5.RELEASE/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java *//* w ww .jav a 2s .c o m*/ private void changeFilterChainProxyHttpFirewall() { StrictHttpFirewall notSoStrictHttpFirewall = new StrictHttpFirewall(); notSoStrictHttpFirewall.setAllowSemicolon(true); notSoStrictHttpFirewall.setAllowUrlEncodedPercent(true); notSoStrictHttpFirewall.setAllowUrlEncodedPeriod(true); try { FilterChainProxy filterChainProxy = PentahoSystem.get(FilterChainProxy.class, "filterChainProxy", null); if (filterChainProxy != null) { logger.debug( "Changing FilterChainProxy's HttpFirewall to a more lenient one that allows for the passing " + "of semicolons, periods, and percentages signs in the URL path"); //$NON-NLS-1$ filterChainProxy.setFirewall(notSoStrictHttpFirewall); } } catch (Throwable t) { logger.error(t); } }