root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Disable suffix pattern matching for Endpoints 

Update EndpointHandlerMapping so that setUseSuffixPatternMatch is set
to false. This prevents URLs of the form /beans.json from returning
results and provides another line of defense against RDF attacks.

Fixes gh-4402
This commit is contained in:
Phillip Webb 2015-11-11 20:15:28 -08:00
parent 10d407a516
commit 09b5222f52
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java
View File

@ -80,6 +80,7 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping {
CorsConfiguration corsConfiguration) {
this.endpoints = new HashSet<MvcEndpoint>(endpoints);
this.corsConfiguration = corsConfiguration;
setUseSuffixPatternMatch(false);
// By default the static resource handler mapping is LOWEST_PRECEDENCE - 1
// and the RequestMappingHandlerMapping is 0 (we ideally want to be before both)
setOrder(-100);