From a2aeb95b59761f12e8321637ec798a234044dbe0 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Tue, 6 Oct 2020 09:05:18 -0600 Subject: [PATCH] Update What's New Link Issue gh-9038 --- docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc | 2 +- .../src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc b/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc index 57f741c17d..2bbaef0a41 100644 --- a/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc @@ -81,7 +81,7 @@ Here's what you'll see in this release: * Renamed https://github.com/spring-projects/spring-security/issues/8676[whitelist and blacklist to allowlist and blocklist] * Added https://github.com/spring-projects/spring-security/pull/7052[`RequestRejectedHandler`] -* Strengthened https://github.com/spring-projects/spring-security/pull/8644[`StrictHttpFirewall`] +* Strengthened https://github.com/spring-projects/spring-security/pull/8644[`StrictHttpFirewall`] to <> * Made https://github.com/spring-projects/spring-security/issues/5438[`SessionRegistry` aware of `SessionIdChangedEvent`] * Allow https://github.com/spring-projects/spring-security/issues/8402[`AesBytesEncryptor` to be constructed with a real key] * https://github.com/spring-projects/spring-security/pull/8450[Deprecated OpenID 2.0 support] diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc index a5781e692d..71171992b3 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc @@ -132,6 +132,8 @@ See https://jira.spring.io/browse/SPR-16851[SPR_16851] for an issue requesting t If you must allow any HTTP method (not recommended), you can use `StrictHttpFirewall.setUnsafeAllowAnyHttpMethod(true)`. This will disable validation of the HTTP method entirely. +[[servlet-httpfirewall-headers-parameters]] + `StrictHttpFirewall` also checks header names and values and parameter names. It requires that each character have a defined code point and not be a control character.