Updates to resource handling for functional endpoints

[rstoyanchev]

The built-in handling of resources in Spring MVC and WebFlux gets updated occasionally, but the functional programming model hasn't stayed up-to-date. Those should be functionally equivalent where it makes sense.

[drdpov]

Hello @rstoyanchev, hope you are doing well. I've come across this PR and noticed, that there is one minor issue. I've created a PR, which should resolve it, could you please take a look? #33568

[lucky8987]

@drdpov Hello, as we currently have no plans to upgrade to version 6.1. x, this issue has triggered a high-risk vulnerability: https://spring.io/security/cve-2024-38816 Can you fix those issues specifically for version 5.3.39?

[bclozel]

@lucky8987 all CVE fixes are already backported to 5.3.x, see our announcement blog post and the advisory you've linked to. 5.3.x is not OSS supported anymore so you'll have to upgrade to a newer generation or consider commercial support.

[lucky8987]

@lucky8987 all CVE fixes are already backported to 5.3.x, see our announcement blog post and the advisory you've linked to. 5.3.x is not OSS supported anymore so you'll have to upgrade to a newer generation or consider commercial support.

I understand, thanks !

[luckymanbuddha]

@bclozel Hello, I would like to ask if CVE-2024-38819 is the same as CVE-2024-38816 can use Tomcat or Jetty as the web server to reject such malicious requests? Thank you.

[bclozel]

@luckymanbuddha I believe the Spring Security firewall will protect against those, but not Tomcat nor Jetty.