SEC-1714: RegexRequestMatcher should prepend question mark to query string.

2025-05-30 00:32:14 +00:00 · 2011-04-11 14:02:54 +01:00 · 2011-04-11 14:02:54 +01:00 · ef72dd1986
commit ef72dd1986
parent 49dd928faa
2 changed files with 45 additions and 2 deletions
--- a/web/src/main/java/org/springframework/security/web/util/RegexRequestMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/RegexRequestMatcher.java
@ -55,7 +55,7 @@ public final class RegexRequestMatcher implements RequestMatcher {

    /**
     * Performs the match of the request URL ({@code servletPath + pathInfo + queryString}) against
-     * the compiled pattern.
+     * the compiled pattern. If the query string is present, a question mark will be prepended.
     *
     * @param request the request to match
     * @return true if the pattern matches the URL, false otherwise.
@ -77,7 +77,7 @@ public final class RegexRequestMatcher implements RequestMatcher {
            }

            if (query != null) {
-                sb.append(query);
+                sb.append('?').append(query);
            }
            url = sb.toString();
        }
--- a/web/src/test/java/org/springframework/security/web/util/RegexRequestMatcherTests.java
+++ b/web/src/test/java/org/springframework/security/web/util/RegexRequestMatcherTests.java
@ -0,0 +1,43 @@
+package org.springframework.security.web.util;
+
+import static org.junit.Assert.*;
+
+import org.junit.*;
+import org.springframework.mock.web.MockHttpServletRequest;
+
+/**
+ * @author Luke Taylor
+ */
+public class RegexRequestMatcherTests {
+
+    @Test
+    public void doesntMatchIfHttpMethodIsDifferent() throws Exception {
+        RegexRequestMatcher matcher = new RegexRequestMatcher(".*", "GET");
+
+        MockHttpServletRequest request = new MockHttpServletRequest("POST", "/anything");
+
+        assertFalse(matcher.matches(request));
+    }
+
+    @Test
+    public void matchesIfHttpMethodAndPathMatch() throws Exception {
+        RegexRequestMatcher matcher = new RegexRequestMatcher(".*", "GET");
+
+        MockHttpServletRequest request = new MockHttpServletRequest("GET", "/anything");
+        request.setServletPath("/anything");
+
+        assertTrue(matcher.matches(request));
+    }
+
+    @Test
+    public void queryStringIsMatcherCorrectly() throws Exception {
+        RegexRequestMatcher matcher = new RegexRequestMatcher(".*\\?x=y", "GET");
+
+        MockHttpServletRequest request = new MockHttpServletRequest("GET", "/any/path?x=y");
+        request.setServletPath("/any");
+        request.setPathInfo("/path");
+        request.setQueryString("x=y");
+
+        assertTrue(matcher.matches(request));
+    }
+}