SEC-2059: Ignore Query String for Resolving Path Variables

2025-10-30 22:28:46 +00:00 · 2015-09-01 09:52:47 -05:00 · 2015-09-01 09:52:47 -05:00 · 97969ea9d2
commit 97969ea9d2
parent adfeb96e2f
2 changed files with 70 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessor.java
@ -17,6 +17,8 @@ package org.springframework.security.web.access.expression;

 import java.util.Map;

+import javax.servlet.http.HttpServletRequest;
+
 import org.springframework.expression.EvaluationContext;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.util.AntPathMatcher;
@ -51,11 +53,22 @@ class PathVariableSecurityEvaluationContextPostProcessor implements SecurityEval
 		if(antPattern == null) {
 			return context;
 		}
-		Map<String, String> variables = matcher.extractUriTemplateVariables(antPattern, invocation.getRequestUrl());
+
+		String path = getRequestPath(invocation.getHttpRequest());
+		Map<String, String> variables = matcher.extractUriTemplateVariables(antPattern, path);
 		for(Map.Entry<String, String> entry : variables.entrySet()) {
 			context.setVariable(entry.getKey(), entry.getValue());
 		}
 		return context;
 	}

+	private String getRequestPath(HttpServletRequest request) {
+		String url = request.getServletPath();
+
+		if (request.getPathInfo() != null) {
+			url += request.getPathInfo();
+		}
+
+		return url;
+	}
 }
--- a/web/src/test/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessorTests.java
+++ b/web/src/test/java/org/springframework/security/web/access/expression/PathVariableSecurityEvaluationContextPostProcessorTests.java
@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.access.expression;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.web.FilterInvocation;
+
+/**
+ * @author Rob Winch
+ *
+ */
+public class PathVariableSecurityEvaluationContextPostProcessorTests {
+	PathVariableSecurityEvaluationContextPostProcessor processor;
+
+	FilterInvocation invocation;
+
+	MockHttpServletRequest request;
+	MockHttpServletResponse response;
+	StandardEvaluationContext context;
+
+	@Before
+	public void setup() {
+		processor = new PathVariableSecurityEvaluationContextPostProcessor("/");
+
+		request = new MockHttpServletRequest();
+		request.setServletPath("/");
+		response = new MockHttpServletResponse();
+		invocation = new FilterInvocation(request,response, new MockFilterChain());
+		context = new StandardEvaluationContext();
+	}
+
+	@Test
+	public void queryIgnored() {
+		request.setQueryString("logout");
+		processor.postProcess(context, invocation);
+	}
+
+}