From 2f762fefe1c0a418536ea6a9658514a575a78886 Mon Sep 17 00:00:00 2001 From: Christian Becker Date: Sun, 11 Feb 2024 22:37:35 +0100 Subject: [PATCH 1/2] Allow tab in HTTP header values. Closes gh-14573 --- .../security/web/firewall/StrictHttpFirewall.java | 6 +++++- .../security/web/firewall/StrictHttpFirewallTests.java | 7 +++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java index d3a9f7b3348..67aa186eda5 100644 --- a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java +++ b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java @@ -130,9 +130,13 @@ public class StrictHttpFirewall implements HttpFirewall { private static final Predicate ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE = ( s) -> ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN.matcher(s).matches(); + private static final Pattern HEADER_VALUE_PATTERN = Pattern.compile("[\\p{IsAssigned}&&[[^\\p{IsControl}]||\\t]]*"); + + private static final Predicate HEADER_VALUE_PREDICATE = (s) -> HEADER_VALUE_PATTERN.matcher(s).matches(); + private Predicate allowedHeaderNames = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE; - private Predicate allowedHeaderValues = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE; + private Predicate allowedHeaderValues = HEADER_VALUE_PREDICATE; private Predicate allowedParameterNames = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE; diff --git a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java index 16b875ed531..0a4df222645 100644 --- a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java +++ b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java @@ -782,6 +782,13 @@ public void getFirewalledRequestGetHeaderWhenControlCharacterInHeaderValueThenEx assertThatExceptionOfType(RequestRejectedException.class).isThrownBy(() -> request.getHeader("Something")); } + @Test + public void getFirewalledRequestGetHeaderWhenHorizontalTabInHeaderValueThenNoException() { + this.request.addHeader("Something", "tab\tvalue"); + HttpServletRequest request = this.firewall.getFirewalledRequest(this.request); + assertThat(request.getHeader("Something")).isEqualTo("tab\tvalue"); + } + @Test public void getFirewalledRequestGetHeaderWhenUndefinedCharacterInHeaderValueThenException() { this.request.addHeader("Something", "bad\uFFFEvalue"); From 5f80468de3bd798e6a421317069c2d480b657566 Mon Sep 17 00:00:00 2001 From: Christian Becker Date: Tue, 13 Feb 2024 09:53:47 +0100 Subject: [PATCH 2/2] Updated copyright date --- .../security/web/firewall/StrictHttpFirewall.java | 2 +- .../security/web/firewall/StrictHttpFirewallTests.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java index 67aa186eda5..1a7469145c5 100644 --- a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java +++ b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2021 the original author or authors. + * Copyright 2012-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java index 0a4df222645..d28c31291fe 100644 --- a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java +++ b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2021 the original author or authors. + * Copyright 2012-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License.