Upgrade to Undertow 2.3.4.Final

wilkinsona · wilkinsona · commit c40e9f437fd2 · 2023-02-20T20:29:49.000Z
Closes gh-34304
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java
@@ -1534,10 +1534,19 @@ public static class Undertow {
 		 * Whether the server should decode percent encoded slash characters. Enabling
 		 * encoded slashes can have security implications due to different servers
 		 * interpreting the slash differently. Only enable this if you have a legacy
-		 * application that requires it.
+		 * application that requires it. Has no effect when server.undertow.decode-slash
+		 * is set.
 		 */
 		private boolean allowEncodedSlash = false;
 
+		/**
+		 * Whether encoded slash characters (%2F) should be decoded. Decoding can cause
+		 * security problems if a front-end proxy does not perform the same decoding. Only
+		 * enable this if you have a legacy application that requires it. When set,
+		 * server.undertow.allow-encoded-slash has no effect.
+		 */
+		private Boolean decodeSlash;
+
 		/**
 		 * Whether the URL should be decoded. When disabled, percent-encoded characters in
 		 * the URL will be left as-is.
@@ -1631,14 +1640,25 @@ public void setMaxCookies(Integer maxCookies) {
 			this.maxCookies = maxCookies;
 		}
 
+		@DeprecatedConfigurationProperty(replacement = "server.undertow.decode-slash")
+		@Deprecated(forRemoval = true, since = "3.0.3")
 		public boolean isAllowEncodedSlash() {
 			return this.allowEncodedSlash;
 		}
 
+		@Deprecated(forRemoval = true, since = "3.0.3")
 		public void setAllowEncodedSlash(boolean allowEncodedSlash) {
 			this.allowEncodedSlash = allowEncodedSlash;
 		}
 
+		public Boolean getDecodeSlash() {
+			return this.decodeSlash;
+		}
+
+		public void setDecodeSlash(Boolean decodeSlash) {
+			this.decodeSlash = decodeSlash;
+		}
+
 		public boolean isDecodeUrl() {
 			return this.decodeUrl;
 		}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/UndertowWebServerFactoryCustomizer.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/UndertowWebServerFactoryCustomizer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -98,7 +98,7 @@ private void mapUndertowProperties(ConfigurableUndertowWebServerFactory factory,
 		map.from(properties::getMaxParameters).to(serverOptions.option(UndertowOptions.MAX_PARAMETERS));
 		map.from(properties::getMaxHeaders).to(serverOptions.option(UndertowOptions.MAX_HEADERS));
 		map.from(properties::getMaxCookies).to(serverOptions.option(UndertowOptions.MAX_COOKIES));
-		map.from(properties::isAllowEncodedSlash).to(serverOptions.option(UndertowOptions.ALLOW_ENCODED_SLASH));
+		mapSlashProperties(properties, serverOptions);
 		map.from(properties::isDecodeUrl).to(serverOptions.option(UndertowOptions.DECODE_URL));
 		map.from(properties::getUrlCharset).as(Charset::name).to(serverOptions.option(UndertowOptions.URL_CHARSET));
 		map.from(properties::isAlwaysSetKeepAlive).to(serverOptions.option(UndertowOptions.ALWAYS_SET_KEEP_ALIVE));
@@ -109,6 +109,14 @@ private void mapUndertowProperties(ConfigurableUndertowWebServerFactory factory,
 		map.from(properties.getOptions()::getSocket).to(socketOptions.forEach(socketOptions::option));
 	}
 
+	@SuppressWarnings({ "deprecation", "removal" })
+	private void mapSlashProperties(Undertow properties, ServerOptions serverOptions) {
+		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+		map.from(properties::isAllowEncodedSlash).to(serverOptions.option(UndertowOptions.ALLOW_ENCODED_SLASH));
+		map.from(properties::getDecodeSlash).to(serverOptions.option(UndertowOptions.DECODE_SLASH));
+
+	}
+
 	private boolean isPositive(Number value) {
 		return value.longValue() > 0;
 	}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/UndertowWebServerFactoryCustomizerTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/UndertowWebServerFactoryCustomizerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -150,11 +150,18 @@ void customizeWorkerThreads() {
 	}
 
 	@Test
+	@Deprecated(forRemoval = true, since = "3.0.3")
 	void allowEncodedSlashes() {
 		bind("server.undertow.allow-encoded-slash=true");
 		assertThat(boundServerOption(UndertowOptions.ALLOW_ENCODED_SLASH)).isTrue();
 	}
 
+	@Test
+	void enableSlashDecoding() {
+		bind("server.undertow.decode-slash=true");
+		assertThat(boundServerOption(UndertowOptions.DECODE_SLASH)).isTrue();
+	}
+
 	@Test
 	void disableUrlDecoding() {
 		bind("server.undertow.decode-url=false");
diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle
@@ -1489,7 +1489,7 @@ bom {
 			]
 		}
 	}
-	library("Undertow", "2.3.3.Final") {
+	library("Undertow", "2.3.4.Final") {
 		group("io.undertow") {
 			modules = [
 				"undertow-core",

Original file line number	Diff line number	Diff line change
`@@ -1489,7 +1489,7 @@ bom {`
`1489`	`1489`	`]`
`1490`	`1490`	`}`
`1491`	`1491`	`}`
`1492`		`- library("Undertow", "2.3.3.Final") {`
	`1492`	`+ library("Undertow", "2.3.4.Final") {`
`1493`	`1493`	`group("io.undertow") {`
`1494`	`1494`	`modules = [`
`1495`	`1495`	`"undertow-core",`