[UNDERTOW-2462] Adding default constant for ALLOW_ENCODED_SLASH

undertow-io · Oct 4, 2024 · 0a60ecb · 0a60ecb
1 parent a91ae22
commit 0a60ecb
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/core/src/main/java/io/undertow/UndertowOptions.java b/core/src/main/java/io/undertow/UndertowOptions.java
@@ -112,13 +112,18 @@ public class UndertowOptions {
      */
     public static final Option<Integer> MAX_COOKIES = Option.simple(UndertowOptions.class, "MAX_COOKIES", Integer.class);
 
+    /**
+     * Default value of {@link #ALLOW_ENCODED_SLASH} option.
+     */
+    public static final Boolean DEFAULT_ALLOW_ENCODED_SLASH = Boolean.FALSE;
+
     /**
      * If a request comes in with encoded / characters (i.e. %2F), will these be decoded.
      * <p>
      * This can cause security problems if a front end proxy does not perform the same decoding, and as a result
      * this is disabled by default.
      * <p>
-     * Defaults to false
+     * Defaults to {@link #DEFAULT_ALLOW_ENCODED_SLASH}
      * <p>
      * See <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450">CVE-2007-0450</a>
      * @deprecated - this option was interpreted improperly.

diff --git a/core/src/main/java/io/undertow/util/URLUtils.java b/core/src/main/java/io/undertow/util/URLUtils.java
@@ -354,7 +354,7 @@ public static boolean isAbsoluteUrl(String location) {
     }
 
     public static boolean getSlashDecodingFlag(final OptionMap options) {
-        final boolean allowEncodedSlash = options.get(UndertowOptions.ALLOW_ENCODED_SLASH, false);
+        final boolean allowEncodedSlash = options.get(UndertowOptions.ALLOW_ENCODED_SLASH, UndertowOptions.DEFAULT_ALLOW_ENCODED_SLASH);
         final Boolean decodeSlash = options.get(UndertowOptions.DECODE_SLASH);
         return getSlashDecodingFlag(allowEncodedSlash, decodeSlash);
     }