Prior to this commit, our XML parser usage would be already haredened
against XXE (XML External Entities) attacks. Still, we recently received
several invalid security reports claiming that our setup should be
hardened.
This commit documents a few usages of XML parsers to add some more
context and hopefully prevent future invalid reports.
Closes gh-33713
When assessing if a request is a CORS request, both mvc and reactive
`DefaultCorsProcessor` now catch `IllegalArgumentException` and turn
this into a 403 rejection rather than letting the exception propagate
into a 500 response.
Closes gh-33688
This change avoids the trap of creating a copy of `HttpHeaders` using a
case-sensitive `MultiValueMap` by mistake. Since mutability is always
desirable, we make a mutable copy by using `addAll` on an empty
`HttpHeaders`.
We can't simply rely on HttpHeaders' map-based constructor to detect
read-only header in this particular case, because the container's
original headers representation might in some cases be read-only.
Closes gh-33666
An example of this can be found in RFC 2732, but it is obsoleted by
RFC 3986 whose syntax for IPv6address does not allow dots.
Also, Appendix D of RFC 3986:
As [RFC2732] defers to [RFC3513] for definition of an IPv6 literal
address, which, unfortunately, lacks an ABNF description of
IPv6address, we created a new ABNF rule for IPv6address that matches
the text representations defined by Section 2.2 of [RFC3513].
See gh-33639
Previously, a timeout was set both on HttpRequest, and used on
httpClient.sendAsync().get(). This leads to inconsistent behaviour
depending on which timeout gets triggered first.
See gh-33090
Align internal handling and contracts. The core copy could do without
those contracts, but it helps with alignment, and it's internal to
the implementation.
Closes gh-33592
This commit adds a new
AbstractGenericHttpMessageConverter(Charset, MediaType...)
constructor, similar to the one present in
AbstractHttpMessageConverter.
Closes gh-33563
rstoyanchev
Juergen Hoeller
Brian Clozel
Sébastien Deleuze
Tran Ngoc Nhan
海子 Yang
Simon Baslé
Sangmin Park
Johnny Lim
Dariusz Jędrzejczyk
Khyojun
Yanming Zhou
cfredri4