Fix StrictHttpFirewall rules

Fixes: gh-5093
2025-07-14 14:23:30 +00:00 · 2018-03-08 21:29:31 -06:00 · 2018-03-08 21:29:31 -06:00 · 5854f00977
commit 5854f00977
parent 93118f4e91
2 changed files with 3 additions and 2 deletions
--- a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
+++ b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
@ -340,7 +340,7 @@ public class StrictHttpFirewall implements HttpFirewall {
 			return true;
 		}
-		if (path.indexOf("//") > 0) {
+		if (path.indexOf("//") > -1) {
 			return false;
 		}
--- a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
+++ b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
@ -26,7 +26,8 @@ import static org.assertj.core.api.Assertions.fail;
 */
 public class StrictHttpFirewallTests {
 	public String[] unnormalizedPaths = { "/..", "/./path/", "/path/path/.", "/path/path//.", "./path/../path//.",
-			"./path", ".//path", ".", "/path//" };
+		"./path", ".//path", ".", "//path", "//path/path", "//path//path", "/path//path" };
 	private StrictHttpFirewall firewall = new StrictHttpFirewall();