Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StrictHttpFirewall incorrectly rejects valid CJKV characters #11264

Closed
rwinch opened this issue May 17, 2022 · 3 comments
Closed

StrictHttpFirewall incorrectly rejects valid CJKV characters #11264

rwinch opened this issue May 17, 2022 · 3 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
6.0.0-M5

Comments

@rwinch
Copy link
Member

rwinch commented May 17, 2022

No description provided.

@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: bug A general bug labels May 17, 2022
@rwinch rwinch self-assigned this May 17, 2022
rwinch added a commit that referenced this issue May 17, 2022
@rwinch
StrictHttpFirewall allows CJKV characters
e0a6a9e 
Issue gh-11264
@rwinch rwinch modified the milestones: 5.7.1, 6.0.0-M5 May 17, 2022
rwinch added a commit that referenced this issue May 17, 2022
@rwinch
Fix Formatting
5bf478e 
Issue gh-11264
@tawAsh1
Copy link

tawAsh1 commented May 18, 2022

Almost LGTM. We also checked the behavior.
I was looking at other methods like setAllowUrlEncodedPercent(), how about adding setAllowUrlEncodedCRLF() with the appropriate warning document?

rwinch added a commit that referenced this issue May 18, 2022
@rwinch
Add StrictHttpFirewall.allow* new lines and separators
e2eed33 
Issue gh-11264
@rwinch
Copy link
Member Author

rwinch commented May 18, 2022

@tawAsh1 Thank you for your feedback.

User's can always invoke getEncodedUrlBlocklist and getDecodedUrlBlocklist which allow adding and removing characters from it. The allow methods are for convenience for URL values that we felt were more likely to want to be enabled. I did not consider newlines to be likely for users to want to add/remove. However, since you requested the convenience methods, I went ahead and added them in e2eed33 Please let me know if this looks good to you.

@tawAsh1
Copy link

tawAsh1 commented May 18, 2022

LGTM! Thanks.

rwinch added a commit that referenced this issue May 18, 2022
@rwinch
StrictHttpFirewall allows CJKV characters
077c9e0 
Closes gh-11264
rwinch added a commit that referenced this issue May 18, 2022
@rwinch
StrictHttpFirewall allows CJKV characters
66d1cd5 
Closes gh-11264
rwinch added a commit that referenced this issue May 18, 2022
@rwinch
StrictHttpFirewall allows CJKV characters
29b2b7a 
Closes gh-11264
rwinch added a commit that referenced this issue May 18, 2022
@rwinch
StrictHttpFirewall allows CJKV characters
d94639a 
Closes gh-11264
rwinch added a commit that referenced this issue May 18, 2022
@rwinch
StrictHttpFirewall allows CJKV characters
cfc057b 
Closes gh-11264
rwinch added a commit that referenced this issue May 18, 2022
@rwinch
StrictHttpFirewall allows CJKV characters
7d97839 
Closes gh-11264
@rwinch rwinch closed this as completed in 5b0dab5 May 18, 2022
This was referenced May 18, 2022
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
6.0.0-M5
Development

No branches or pull requests
2 participants
@rwinch @tawAsh1