| ▲ | bryden_cruz 2 hours ago | |||||||
This exact ambiguity causes massive headaches when putting Nginx in front of a Spring Boot backend. Nginx defaults to merge_slashes on, so it silently 'fixes' the path. But Spring Security's strict firewall explicitly rejects URLs with // as a potential directory traversal vector and throws an error. It forces you to explicitly decide which layer in your infrastructure owns path normalization, because if Nginx passes it raw, the Java backend completely panics. | ||||||||
| ▲ | jeroenhd 2 hours ago | parent [-] | |||||||
What I don't understand about this setup is why a double slash could ever be a directory traversal attack in Spring Boot. If you're proxying to another server that just assumes relative paths and doesn't do any kind of validation, I guess an extra / might cause reading files outside of the expected area? That'd be an extremely weird and awful setup that I don't think makes any sense in the context of Spring Boot. | ||||||||
| ||||||||