Spring Security Folded http headers are blocked by the FirewalledResponse

The Spring Security Firewall is preventing the addition of folded http headers. Attempting to do so results in an IllegalArgumentException being thrown and a 500 Internal Server Error being returned to the caller.

This has been caused by the change to prevent CRLF Injection (SEC-1790), but it does not take account of the fact that the header value may be folded as described in RFC 2616 section 2.2.

This can be reproduced by the following servlet.

@WebServlet( "/FoldedHeaderTest" )
public class FoldedHeaderServlet extends HttpServlet {

    @Override
    protected void doGet( HttpServletRequest req, HttpServletResponse resp ) throws ServletException, IOException {
        resp.addHeader( "X-Folded-header-space", "ticket=9b116fbd-234d-4b45-a3b9-2ff54d911680;\r\n authenticated=true" );
        resp.addHeader( "X-Folded-header-tab", "ticket=9b116fbd-234d-4b45-a3b9-2ff54d911680;\r\n\tauthenticated=true" );
        resp.addHeader( "X-Folded-header-whitespace", "ticket=9b116fbd-234d-4b45-a3b9-2ff54d911680;\r\n\t   authenticated=true" );
        PrintWriter writer = resp.getWriter();
        writer.println( "<!DOCTYPE html>" );
        writer.println( "<html><body>" );
        writer.println( "<p>FoldedHeaderServlet.<br />Please check the http headers in the response</p>" );
        writer.println( "</body></html>" );
    }

Comment From: rwinch

This is likely to break passivity, so we should access it for 6.0.x or close it.