Remove support for relative paths in static resource handling #33687
Assignees
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: enhancement
A general enhancement
Milestone
Comments
rstoyanchev
added
in: web
rstoyanchev
added a commit
that referenced
this issue
Oct 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Following thes updates to URL parsing in #33639, it's clear that with the WhatWg URL Living Standard spec, there is no good reason to expect URL paths that are not normalized. Those have been a source of security issues, and while we have protections against them in static resource handling, and they are also rejected by the Spring Security firewall, we can now drop support for them altogether going forward.
The text was updated successfully, but these errors were encountered: