SEC-3082: make SavedRequest parameters case sensitive

10 years ago · 4144de9376
2 changed files with 6 additions and 5 deletions
--- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
+++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
@ -62,8 +62,7 @@ public class DefaultSavedRequest implements SavedRequest {
				@@ -62,8 +62,7 @@ public class DefaultSavedRequest implements SavedRequest {
 	private final ArrayList<Locale> locales = new ArrayList<Locale>();
 	private final Map<String, List<String>> headers = new TreeMap<String, List<String>>(
 			String.CASE_INSENSITIVE_ORDER);
-	private final Map<String, String[]> parameters = new TreeMap<String, String[]>(
-			String.CASE_INSENSITIVE_ORDER);
+	private final Map<String, String[]> parameters = new TreeMap<String, String[]>();
 	private final String contextPath;
 	private final String method;
 	private final String pathInfo;
--- a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
+++ b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
@ -32,13 +32,15 @@ public class DefaultSavedRequestTests {
				@@ -32,13 +32,15 @@ public class DefaultSavedRequestTests {
 		assertTrue(saved.getHeaderValues("if-none-match").isEmpty());
 	}

-	// TODO: Why are parameters case insensitive. I think this is a mistake
+	// SEC-3082
 	@Test
-	public void parametersAreCaseInsensitive() throws Exception {
+	public void parametersAreCaseSensitive() throws Exception {
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.addParameter("ThisIsATest", "Hi mom");
+		request.addParameter("AnotHerTest", "Hi dad");
+		request.addParameter("thisisatest", "Hi mom");
 		DefaultSavedRequest saved = new DefaultSavedRequest(request,
 				new MockPortResolver(8080, 8443));
 		assertEquals("Hi mom", saved.getParameterValues("thisisatest")[0]);
+		assertNull(saved.getParameterValues("anothertest"));
 	}
 }