root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 4 Packages Projects Releases Wiki Activity
spring-framework/spring-websocket
History
Sam Brannen 5bc80fc094 Disable SpEL selector support in WebSocket messaging by default 
This commit disables support for evaluating SpEL expressions from
untrusted sources by default. Specifically, this applies to the
SpEL-based 'selector' header support in WebSocket messaging, which
includes the DefaultSubscriptionRegistry and the classes used to
configure the 'selector' header name (SimpleBrokerMessageHandler and
SimpleBrokerRegistration).

The selector header support remains in place but will have to be
explicitly enabled beginning with Spring Framework 6.1.

For example, a custom implementation of WebSocketMessageBrokerConfigurer
can override the configureMessageBroker() method and configure the
selector header name as follows.

  registry.enableSimpleBroker().setSelectorHeaderName("selector");

Closes gh-30550
 		2023-06-04 17:02:02 +02:00
..
src Disable SpEL selector support in WebSocket messaging by default 2023-06-04 17:02:02 +02:00
spring-websocket.gradle Align with Servlet 6.0 and introduce support for Jakarta WebSocket 2.1 2022-11-06 16:08:30 +01:00