Skip to content

NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5 #9598

New issue
New issue
Closed
Closed
NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5#9598
Assignees
jzheaux
Labels
in: webAn issue in web modules (web, webmvc)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug
Milestone
 
5.5.0-RC2
@hitesh-modi

Description

@hitesh-modi
hitesh-modi
opened on Apr 12, 2021

Description
When request.getParameter(null) is called with spring-security-web 5.4.5, a NullPointerException is thrown from StrictHttpFirewall.java.

java.lang.NullPointerException: null at java.util.regex.Matcher.getTextLength(Matcher.java:1283) at java.util.regex.Matcher.reset(Matcher.java:309) at java.util.regex.Matcher.<init>(Matcher.java:229) at java.util.regex.Pattern.matcher(Pattern.java:1093) at org.springframework.security.web.firewall.StrictHttpFirewall.lambda$static$1(StrictHttpFirewall.java:122) at org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.validateAllowedParameterName(StrictHttpFirewall.java:745) at org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.getParameter(StrictHttpFirewall.java:676) at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:161) at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:161)

To Reproduce
Call request.getParameter(null)

Expected behavior
In earlier version 5.3.8, request.getParameter(null) use to return null, rather than NPE.

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions