List of usage examples for org.springframework.security.web.firewall StrictHttpFirewall setAllowUrlEncodedPercent
public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent)
Determines if a percent "%" that is URL encoded "%25" should be allowed in the path or not.
From source file:org.pentaho.platform.plugin.services.security.userrole.SecuritySystemListener.java
/** * https://jira.pentaho.com/browse/BACKLOG-22526 * * StrictHttpFirewall was added and made the default HTTPFirewall for FilterChainProxy. As per its javadoc, it is meant * to block requests that contains one of the following characters in the URL: period, forward slash, backslash, semicolon, percentage * * StrictHttpFirewall was added to address 3 different CVEs: CVE-2016-5007, CVE-2016-9879, CVE-2018-1199 * * However, Pentaho's file/folder endpoint resources are passed as path params. And we do support file/folder names with the * aforementioned characters. In light of this, we are setting a more lenient HttpFirewall for FilterChainProxy * * @link https://github.com/spring-projects/spring-security/blob/4.1.5.RELEASE/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java *//*from www. ja va 2 s . c o m*/ private void changeFilterChainProxyHttpFirewall() { StrictHttpFirewall notSoStrictHttpFirewall = new StrictHttpFirewall(); notSoStrictHttpFirewall.setAllowSemicolon(true); notSoStrictHttpFirewall.setAllowUrlEncodedPercent(true); notSoStrictHttpFirewall.setAllowUrlEncodedPeriod(true); try { FilterChainProxy filterChainProxy = PentahoSystem.get(FilterChainProxy.class, "filterChainProxy", null); if (filterChainProxy != null) { logger.debug( "Changing FilterChainProxy's HttpFirewall to a more lenient one that allows for the passing " + "of semicolons, periods, and percentages signs in the URL path"); //$NON-NLS-1$ filterChainProxy.setFirewall(notSoStrictHttpFirewall); } } catch (Throwable t) { logger.error(t); } }