Update What's New Link

Issue gh-9038
2025-05-30 00:32:14 +00:00 · 2020-10-06 09:05:18 -06:00 · 2020-10-06 09:05:18 -06:00 · a2aeb95b59
commit a2aeb95b59
parent 320567128a
2 changed files with 3 additions and 1 deletions
--- a/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc
@ -81,7 +81,7 @@ Here's what you'll see in this release:

 * Renamed https://github.com/spring-projects/spring-security/issues/8676[whitelist and blacklist to allowlist and blocklist]
 * Added https://github.com/spring-projects/spring-security/pull/7052[`RequestRejectedHandler`]
-* Strengthened https://github.com/spring-projects/spring-security/pull/8644[`StrictHttpFirewall`]
+* Strengthened https://github.com/spring-projects/spring-security/pull/8644[`StrictHttpFirewall`] to <<servlet-httpfirewall-headers-parameters,verify header and parameter names and values>>
 * Made https://github.com/spring-projects/spring-security/issues/5438[`SessionRegistry` aware of `SessionIdChangedEvent`]
 * Allow https://github.com/spring-projects/spring-security/issues/8402[`AesBytesEncryptor` to be constructed with a real key]
 * https://github.com/spring-projects/spring-security/pull/8450[Deprecated OpenID 2.0 support]
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc
@ -132,6 +132,8 @@ See https://jira.spring.io/browse/SPR-16851[SPR_16851] for an issue requesting t
 If you must allow any HTTP method (not recommended), you can use `StrictHttpFirewall.setUnsafeAllowAnyHttpMethod(true)`.
 This will disable validation of the HTTP method entirely.

+[[servlet-httpfirewall-headers-parameters]]
+
 `StrictHttpFirewall` also checks header names and values and parameter names.
 It requires that each character have a defined code point and not be a control character.