spring-framework

Spring Framework

Tree: 6c816c55d1

Sam Brannen 5bc80fc094 Disable SpEL selector support in WebSocket messaging by default This commit disables support for evaluating SpEL expressions from untrusted sources by default. Specifically, this applies to the SpEL-based 'selector' header support in WebSocket messaging, which includes the DefaultSubscriptionRegistry and the classes used to configure the 'selector' header name (SimpleBrokerMessageHandler and SimpleBrokerRegistration). The selector header support remains in place but will have to be explicitly enabled beginning with Spring Framework 6.1. For example, a custom implementation of WebSocketMessageBrokerConfigurer can override the configureMessageBroker() method and configure the selector header name as follows. registry.enableSimpleBroker().setSelectorHeaderName("selector"); Closes gh-30550	3 years ago
..
src	Disable SpEL selector support in WebSocket messaging by default	3 years ago
spring-websocket.gradle	Align with Servlet 6.0 and introduce support for Jakarta WebSocket 2.1	3 years ago

Sam Brannen 5bc80fc094 Disable SpEL selector support in WebSocket messaging by default

This commit disables support for evaluating SpEL expressions from
untrusted sources by default. Specifically, this applies to the
SpEL-based 'selector' header support in WebSocket messaging, which
includes the DefaultSubscriptionRegistry and the classes used to
configure the 'selector' header name (SimpleBrokerMessageHandler and
SimpleBrokerRegistration).

The selector header support remains in place but will have to be
explicitly enabled beginning with Spring Framework 6.1.

For example, a custom implementation of WebSocketMessageBrokerConfigurer
can override the configureMessageBroker() method and configure the
selector header name as follows.

  registry.enableSimpleBroker().setSelectorHeaderName("selector");

Closes gh-30550

3 years ago

src

Disable SpEL selector support in WebSocket messaging by default

3 years ago

spring-websocket.gradle

Align with Servlet 6.0 and introduce support for Jakarta WebSocket 2.1

3 years ago