From 1cb6069734fc30c34979aa6f0cbf4241599879ab Mon Sep 17 00:00:00 2001 From: Juergen Hoeller Date: Sat, 14 Nov 2015 23:52:39 +0100 Subject: [PATCH] Polishing --- .../org/springframework/core/SerializableTypeWrapper.java | 6 +++--- src/asciidoc/web-mvc.adoc | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/spring-core/src/main/java/org/springframework/core/SerializableTypeWrapper.java b/spring-core/src/main/java/org/springframework/core/SerializableTypeWrapper.java index 3afd15fcc69..8f1fd9d9eb3 100644 --- a/spring-core/src/main/java/org/springframework/core/SerializableTypeWrapper.java +++ b/spring-core/src/main/java/org/springframework/core/SerializableTypeWrapper.java @@ -389,9 +389,9 @@ abstract class SerializableTypeWrapper { public Type getType() { Object result = this.result; if (result == null) { - // Lazy invocation of the target method + // Lazy invocation of the target method on the provided type result = ReflectionUtils.invokeMethod(this.method, this.provider.getType()); - // Cache the result for further calls + // Cache the result for further calls to getType() this.result = result; } return (result instanceof Type[] ? ((Type[]) result)[this.index] : (Type) result); @@ -405,7 +405,7 @@ abstract class SerializableTypeWrapper { private void readObject(ObjectInputStream inputStream) throws IOException, ClassNotFoundException { inputStream.defaultReadObject(); this.method = ReflectionUtils.findMethod(this.provider.getType().getClass(), this.methodName); - Assert.state(this.method.getReturnType() == Type.class || this.method.getReturnType() == Type[].class); + Assert.state(Type.class == this.method.getReturnType() || Type[].class == this.method.getReturnType()); } } diff --git a/src/asciidoc/web-mvc.adoc b/src/asciidoc/web-mvc.adoc index 5642a807614..8382a35b922 100644 --- a/src/asciidoc/web-mvc.adoc +++ b/src/asciidoc/web-mvc.adoc @@ -867,7 +867,7 @@ also <> for content negotiation configuration. [[mvc-ann-requestmapping-rfd]] -==== Suffix Suffix Pattern Matching and RFD +==== Suffix Pattern Matching and RFD Reflected file download (RFD) attack was first described in a https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/[paper by Trustwave] @@ -907,7 +907,7 @@ Below are additional recommendations from the report: For an example of how to do that with Spring see https://github.com/rwinch/spring-jackson-owasp[spring-jackson-owasp]. * Configure suffix pattern matching to be turned off or restricted to explicitly registered suffixes only. -* Configure content negotiation with the properties “useJaf” and “ignoreUknownPathExtension” +* Configure content negotiation with the properties "useJaf" and "ignoreUnknownPathExtensions" set to false which would result in a 406 response for URLs with unknown extensions. Note however that this may not be an option if URLs are naturally expected to have a dot towards the end.