core-geonetwork icon indicating copy to clipboard operation
core-geonetwork copied to clipboard
verified publisher icon geonetwork

Special characters in the cookie causing 400 bad requests from Spring Security

Open xiechangning20 opened this issue 1 year ago β€’ 0 comments

Describe the bug Special characters in the cookie causing 400 bad requests from Spring Security Http Fire wall

To Reproduce Steps to reproduce the behavior locally:

  1. Go to home page, for instance: http://localhost:8080/catalogue/srv/eng/catalog.search
  2. Go to the application tab in the browser and add a cookie with special characters, such as ẞ , ζˆ‘, ’, πŸ˜€
  3. Refresh the page
  4. Will see 400 the described bad request error in UI

Expected behavior Support special characters in the cookie

Screenshots image

Log file Error Message from Spring Message Cannot build ServiceRequest Cause : The request was rejected because the header value "XSRF-TOKEN=4e62422e-0856-4b71-9dd6-ac8c8c5ce378; JSESSIONID=419CAE53ADA85118DC471FA40C563195; serverTime=1721755840263; sessionExpiry=1721755840263; test=Γ°ΒŸΒ˜Β€" is not allowed. Error : org.springframework.security.web.firewall.RequestRejectedException

Desktop (please complete the following information):

  • Browser Edge
  • GeoNetwork Version 4.2.9
  • Server Application Tomcat 9.0.87 with Java 8

Additional context Likely caused by Spring mis-interpreted the cookie value as ISO-8859-1 (Latin1) instead of UTF-8. Which can be fixed by configuring the following: image https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html

xiechangning20 avatar Jul 23 '24 17:07 xiechangning20