From 8f8deac0f444f406f65701baefa54165e5a82da2 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Thu, 8 Mar 2018 21:29:31 -0600
Subject: [PATCH] Fix StrictHttpFirewall rules

Fixes: gh-5092
---
 .../security/web/firewall/StrictHttpFirewall.java              | 2 +-
 .../security/web/firewall/StrictHttpFirewallTests.java         | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
index 55438d727d..8be2d8fdf4 100644
--- a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
+++ b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
@@ -340,7 +340,7 @@ public class StrictHttpFirewall implements HttpFirewall {
 			return true;
 		}
 
-		if (path.indexOf("//") > 0) {
+		if (path.indexOf("//") > -1) {
 			return false;
 		}
 
diff --git a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
index c9bbc654a1..5613ad4dbc 100644
--- a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
+++ b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
@@ -26,7 +26,8 @@ import static org.assertj.core.api.Assertions.fail;
  */
 public class StrictHttpFirewallTests {
 	public String[] unnormalizedPaths = { "/..", "/./path/", "/path/path/.", "/path/path//.", "./path/../path//.",
-			"./path", ".//path", ".", "/path//" };
+		"./path", ".//path", ".", "//path", "//path/path", "//path//path", "/path//path" };
+
 
 	private StrictHttpFirewall firewall = new StrictHttpFirewall();