From 4973e110ee99759d4e27c2f904d84c5cbabcbe78 Mon Sep 17 00:00:00 2001 From: Andreas Kluth Date: Wed, 17 Jul 2019 15:41:25 +0200 Subject: [PATCH 1/2] An empty X-Forwarded-Prefix with a path containing escape sequences leads to exceptions. --- .../adapter/ForwardedHeaderTransformer.java | 2 +- .../adapter/ForwardedHeaderTransformerTests.java | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java b/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java index 149f22fe5b..3695d53619 100644 --- a/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java +++ b/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java @@ -96,7 +96,7 @@ public class ForwardedHeaderTransformer implements Function Date: Fri, 19 Jul 2019 09:39:42 +0100 Subject: [PATCH 2/2] Polish --- .../server/adapter/ForwardedHeaderTransformer.java | 2 +- .../adapter/ForwardedHeaderTransformerTests.java | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java b/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java index 3695d53619..b3990166cb 100644 --- a/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java +++ b/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/spring-web/src/test/java/org/springframework/web/server/adapter/ForwardedHeaderTransformerTests.java b/spring-web/src/test/java/org/springframework/web/server/adapter/ForwardedHeaderTransformerTests.java index dc11e5b0cb..585cfb73d0 100644 --- a/spring-web/src/test/java/org/springframework/web/server/adapter/ForwardedHeaderTransformerTests.java +++ b/spring-web/src/test/java/org/springframework/web/server/adapter/ForwardedHeaderTransformerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -90,10 +90,10 @@ public class ForwardedHeaderTransformerTests { assertForwardedHeadersRemoved(request); } - @Test - public void emptyXForwardedPrefixShouldNotLeadToDecodedPath() throws Exception { + @Test // gh-23305 + public void xForwardedPrefixShouldNotLeadToDecodedPath() throws Exception { HttpHeaders headers = new HttpHeaders(); - headers.add("X-Forwarded-Prefix", ""); + headers.add("X-Forwarded-Prefix", "/prefix"); ServerHttpRequest request = MockServerHttpRequest .method(HttpMethod.GET, new URI("https://example.com/a%20b?q=a%2Bb")) .headers(headers) @@ -101,8 +101,8 @@ public class ForwardedHeaderTransformerTests { request = this.requestMutator.apply(request); - assertThat(request.getURI()).isEqualTo(new URI("https://example.com/a%20b?q=a%2Bb")); - assertThat(request.getPath().value()).isEqualTo("/a%20b"); + assertEquals(new URI("https://example.com/prefix/a%20b?q=a%2Bb"), request.getURI()); + assertEquals("/prefix/a%20b", request.getPath().value()); assertForwardedHeadersRemoved(request); }