Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CsrfConfigurer.ignoringRequestMatchers breaks on Spring Boot 3.1.2 #36500

Closed
nubitic-admin opened this issue Jul 21, 2023 · 2 comments
Closed
Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid

Comments

@nubitic-admin
Copy link

If something like this is used:

http.csrf(csrf -> csrf.ignoringRequestMatchers("/login", "/something/**" ));

An exception triggers: "This method cannot decide whether these patterns are Spring MVC patterns or not..."

I've manage to trace down the change that issues this problem, class org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry method public C requestMatchers(HttpMethod method, String... patterns)

Spring Boot 3.1.1 (Before):
spring-boot-3 1

Spring Boot 3.1.2 (Now):
spring-boot-3 1 2

@dreis2211
Copy link
Contributor

This is a problem in Spring-Security. See spring-projects/spring-security#13568 if you want to subscribe on the issue. It has been apparently introduced to fix https://spring.io/security/cve-2023-34035 but I'm waiting on an answer there as well.

@wilkinsona
Copy link
Member

Thanks, @dreis2211.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Jul 21, 2023
@wilkinsona wilkinsona added status: invalid An issue that we don't feel is valid for: external-project For an external project and not something we can fix and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid
Projects
None yet
Development

No branches or pull requests

4 participants