Refine default filtered headers for web data binding #34182
Comments
spring-projects-issues
added
the
status: waiting-for-triage
snicoll
added
the
in: web
|
This change mentioned in here https://github.com/spring-projects/spring-framework/releases/tag/v6.2.0-M4
|
Thank you for that - great find! |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
@ioanclarke you can try the following: #34125 (comment) This issue is almost a duplicate of #34125, but we could consider it as a request to disable this feature by default. We'll discuss this as a team. |
bclozel
changed the title
bclozel
added
type: enhancement
|
We have discussed this as a team and we came to the following conclusion:
I'm repurposing this issue to extend the list of header names filtered by default, adding "Host" and more. |
|
Right now I'm leaning towards selecting the following headers to be ignored by default because they are:
We can refine this list if we get further feedback from the community. Applications can still opt back in by replacing the default predicate with your own: import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
import org.springframework.web.servlet.mvc.method.annotation.ExtendedServletRequestDataBinder;
@ControllerAdvice
public class MyControllerAdvice {
@InitBinder
public void initBinder(ExtendedServletRequestDataBinder binder) {
binder.setHeaderPredicate(header -> ...);
}
} |
Prior to this commit, HTTP request data binding had been improved to filter out by default the "Priority" header in spring-projects#34039. This commit extends the set of filtered header names with: "Accept", "Authorization", "Connection", "Cookie", "From", "Host", "Origin", "Priority", "Range", "Referer", "Upgrade". If an application wishes to let those header be bound, it will need to configure the binder and replace the default header predicate by calling `setHeaderPredicate`. Closes spring-projectsgh-34182
Prior to this commit, several common HTTP headers were ignored from the data binding process when collecting property values, in gh-34039 and gh-34182. This commit completes the initial enhancement by ensuring that the default header predicate is also considering cases where constructor binding is applied and the Java type has a lowercase variant of the HTTP header name to filter. Fixes gh-34292
|
Following up from a related thread: I suspect that 6.2.3 will fix the issue i know about (origin header vs origin param), but i dont know if there are other places in my company where someones custom header happens to collide with some model value, and will start having erroneous information without us knowing it. As a feature its perfectly fine for it to work this way, it just feels like it sprung (heh) up out of nowhere for us. Hopefully nothing breaks? |
|
@nastharl please give a try to the latest 6.2.3 SNAPSHOTs and let us know if we need to refine things more. |
|
Will do :) Thanks again for the quick fixes. |
|
@bclozel |
|
@apoorvam Unlikely. This doesn't look like a well-known header so you'll have to configure the filtering for your application. |
Here's a minimal reproducible example of, what I believe is, a bug in Spring Boot 3.4.0.
I have a Spring Boot web app with a controller that looks like this:
where
SftpSearchRequestlooks like this:I have the app running on port 8088 and I am sending a request that looks like this:
GET http://localhost:8088/sftp?id=123.I believe Spring Boot attempts to following SemVer - and this appears to be a breaking change - which is why I believe this may be a bug, especially since I haven't found this behaviour change mentioned in release notes.
The text was updated successfully, but these errors were encountered: