diff --git a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java index fc051810f2..ddfc2e8faa 100644 --- a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java +++ b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java @@ -314,7 +314,7 @@ public class StrictHttpFirewall implements HttpFirewall { int length = uri.length(); for (int i = 0; i < length; i++) { char c = uri.charAt(i); - if (c < '\u0021' || '\u007e' < c) { + if (c < '\u0020' || c > '\u007e') { return false; } } diff --git a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java index 5613ad4dbc..5d2e57d3e7 100644 --- a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java +++ b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java @@ -297,6 +297,30 @@ public class StrictHttpFirewallTests { this.firewall.getFirewalledRequest(this.request); } + @Test(expected = RequestRejectedException.class) + public void getFirewalledRequestWhenExceedsLowerboundAsciiThenException() { + this.request.setRequestURI("/\u0019"); + this.firewall.getFirewalledRequest(this.request); + } + + @Test + public void getFirewalledRequestWhenContainsLowerboundAsciiThenNoException() { + this.request.setRequestURI("/ "); + this.firewall.getFirewalledRequest(this.request); + } + + @Test + public void getFirewalledRequestWhenContainsUpperboundAsciiThenNoException() { + this.request.setRequestURI("/~"); + this.firewall.getFirewalledRequest(this.request); + } + + @Test(expected = RequestRejectedException.class) + public void getFirewalledRequestWhenExceedsUpperboundAsciiThenException() { + this.request.setRequestURI("/\u007f"); + this.firewall.getFirewalledRequest(this.request); + } + // --- from DefaultHttpFirewallTests --- /**