Closed
Description
Describe the bug
The RequestRejectedHandler was added to provide a configurable way of handling RequestRejectedException thrown by HttpFirewall. When using a HttpStatusRequestRejectedHandler the exception is handled by returning a HTTP status code (400 by default) to the client. Unfortunately this is not reliably the case and I consider this as a bug.
To Reproduce
- Use
StrictHttpFirewallwithHttpStatusRequestRejectedHandler - Send a request with a HTTP header
X-Testwith a value containing\u0099
Then two things can happen:
- Internal Server Error
- Implement an endpoint that reads the header
X-Test - A HTTP status code 500 is returned (
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the header value "Test �" is not allowed.)
or
- Success
- Implement an endpoint that does not read headers
- A HTTP status code 200 is returned
Expected behavior
- Consistent behavior in both cases
- The configured status code of
HttpStatusRequestRejectedHandler(400 by default).
Sample
https://github.com/osiegmar/spring-firewall-bug
Additional notes
- The character value
\u0099is considered invalid byStrictHttpFirewall(via regex pattern[\p{IsAssigned}&&[^\p{IsControl}]]*) but it seems to be valid according section 3.2 of RFC 7230 (field-vchar = VCHAR / obs-text ; VCHAR = %x21-7E ; obs-text = %x80-FF) - I assume that there are more cases when this can happen (e.g. invalid parameter names)