Fix StrictHttpFirewall rules

Fixes: gh-5092
8 years ago · 8f8deac0f4
2 changed files with 3 additions and 2 deletions
--- a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
+++ b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
@ -340,7 +340,7 @@ public class StrictHttpFirewall implements HttpFirewall {
				@@ -340,7 +340,7 @@ public class StrictHttpFirewall implements HttpFirewall {
 			return true;
 		}

-		if (path.indexOf("//") > 0) {
+		if (path.indexOf("//") > -1) {
 			return false;
 		}

--- a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
+++ b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
@ -26,7 +26,8 @@ import static org.assertj.core.api.Assertions.fail;
				@@ -26,7 +26,8 @@ import static org.assertj.core.api.Assertions.fail;
 */
 public class StrictHttpFirewallTests {
 	public String[] unnormalizedPaths = { "/..", "/./path/", "/path/path/.", "/path/path//.", "./path/../path//.",
-			"./path", ".//path", ".", "/path//" };
+		"./path", ".//path", ".", "//path", "//path/path", "//path//path", "/path//path" };
+

 	private StrictHttpFirewall firewall = new StrictHttpFirewall();