From: Miguel Landaeta Date: Mon, 24 Mar 2014 17:07:58 -0300 Subject: CVE-2014-1904 Bug: http://bugs.debian.org/741604 diff --git a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java index 2e9cc84..b416084 100644 --- a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java +++ b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2010 the original author or authors. + * Copyright 2002-2014 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,11 +21,14 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.jsp.JspException; import javax.servlet.jsp.PageContext; +import java.io.UnsupportedEncodingException; + import org.springframework.beans.PropertyAccessor; import org.springframework.core.Conventions; import org.springframework.util.ObjectUtils; import org.springframework.util.StringUtils; import org.springframework.web.util.HtmlUtils; +import org.springframework.web.util.UriUtils; /** * Databinding-aware JSP tag for rendering an HTML 'form' whose @@ -397,6 +400,13 @@ public class FormTag extends AbstractHtmlElementTag { } else { String requestUri = getRequestContext().getRequestUri(); + String encoding = pageContext.getResponse().getCharacterEncoding(); + try { + requestUri = UriUtils.encodePath(requestUri, encoding); + } + catch (UnsupportedEncodingException e) { + throw new JspException(e); + } ServletResponse response = this.pageContext.getResponse(); if (response instanceof HttpServletResponse) { requestUri = ((HttpServletResponse) response).encodeURL(requestUri);