Spring Security
  1. Spring Security
  2. SEC-1802

RFC 1738 / 3986 compliant schemes will not be recognized as valid schemes.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.5
    • Fix Version/s: 3.1.0
    • Component/s: Web
    • Labels:
      None

      Description

      org.springframework.security.web.util.UrlUtils.isAbsoluteUrl(String) checks whether the given URL is absolute. It will be done by checking the URL is starting with a valid scheme. But some valid schemes (RFC 1738 / 3986) will not be accepted (e.g. http1). In general all schemes containing digits will be rejected.

        Activity

        Hide
        Luke Taylor added a comment -

        Added digits to regex for matching the URL scheme.

        Show
        Luke Taylor added a comment - Added digits to regex for matching the URL scheme.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Enrico Kufahl
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: