I had noticed that in org.springframework.web.util.UrlPathHelper#decodeAndCleanUriString special url will be processed.
uri = removeSemicolonContent(uri);
uri = decodeRequestString(request, uri);
uri = getSanitizedPath(uri);
return uri;
With this process, uri like /;/a/b/c will be changed to //a/b/c, and /;/a%2fb/c will be changed to //a/b/c. This can be different in Filter(for example, jetty),which will confuse the developer. Sometime may cause security bug.
I'd like to ask, is the any specification like rfc, servlet specification, or anything else. If any specification available, we can follow it .
Thanks!
Comment From: rstoyanchev
The Servlet API unfortunately does not specify precisely how the servletPath is to be normalized. This is why it's best to avoid reliance on the servletPath.
For example if the Servlet is mapped to "/" then you can set alwaysUseFullPath to true and with Servlet 4.0 present we automatically detect that and bypass use of the servletPath. Another option is to switch to use of the parsed PathPattern as an alternative to AntPathMatcher as well as UrlPathHelper, and with PathPattern you also get support for Servlets mapped by prefix, e.g. "/myServlet" without the need for normalizing, that is assuming the prefix itself does not have any characters that require encoding.
Yet another option is to reject URLs that contain ";" if you don't expect them or duplicate slashes. The Spring Security firewall does that.
Comment From: rstoyanchev
I've set this to 5.3.6 in order to update the documentation with comprehensive advice on the topic. There have been a number of changes in 5.3 that should be summarized.
Comment From: ZH3FENG
Thanks