Skip to content

Comments

Fix non-ASCII characters in headers being rejected (#5377)#5699

Open
Eruis2579 wants to merge 1 commit intoStirling-Tools:mainfrom
Eruis2579:fix/non-ascii-header-values-5377
Open

Fix non-ASCII characters in headers being rejected (#5377)#5699
Eruis2579 wants to merge 1 commit intoStirling-Tools:mainfrom
Eruis2579:fix/non-ascii-header-values-5377

Conversation

@Eruis2579
Copy link
Contributor

@Eruis2579 Eruis2579 commented Feb 9, 2026

Description

Fixes #5377

This PR fixes an issue where HTTP headers containing non-ASCII characters (e.g., "Dvořák" in the Remote-User header) were rejected with a 400 Bad Request error, even when authentication was disabled.

Problem

Spring Security's default StrictHttpFirewall rejects header values containing non-ASCII characters. This causes issues when reverse proxies (like Authelia) set headers with international usernames containing non-ASCII characters.

Solution

  • Added a custom HttpFirewall bean that allows non-ASCII characters in header values
  • Configured StrictHttpFirewall to accept valid UTF-8 encoded header values
  • Added validation to ensure only valid UTF-8 encoding is accepted (maintains security)
  • Also allows non-ASCII characters in parameter values for consistency

Changes

  • SecurityConfiguration.java: Added httpFirewall() bean method that configures StrictHttpFirewall to allow non-ASCII characters

Testing

Headers with non-ASCII characters (e.g., Remote-User: Dvořák) should now be accepted instead of returning 400 Bad Request.

Security

The fix maintains security by validating that header values are valid UTF-8 encoded strings, preventing malformed or malicious input.

@dosubot dosubot bot added size:L This PR changes 100-499 lines ignoring generated files. Bugfix Pull requests that fix bugs labels Feb 9, 2026
@stirlingbot stirlingbot bot added Java Pull requests that update Java code Back End Issues related to back-end development Security Security-related issues or pull requests and removed Bugfix Pull requests that fix bugs labels Feb 9, 2026
@Eruis2579 Eruis2579 closed this Feb 9, 2026
@Eruis2579 Eruis2579 deleted the fix/non-ascii-header-values-5377 branch February 9, 2026 05:55
@Eruis2579 Eruis2579 restored the fix/non-ascii-header-values-5377 branch February 9, 2026 05:55
@Eruis2579 Eruis2579 reopened this Feb 9, 2026
@Eruis2579 Eruis2579 closed this Feb 9, 2026
@Eruis2579 Eruis2579 deleted the fix/non-ascii-header-values-5377 branch February 9, 2026 06:01
@Eruis2579 Eruis2579 restored the fix/non-ascii-header-values-5377 branch February 9, 2026 06:02
@Eruis2579 Eruis2579 reopened this Feb 9, 2026
@Eruis2579
Fix non-ASCII characters in headers being rejected (Stirling-Tools#5377)
dc69c7d 
- Add HttpFirewall bean to allow non-ASCII characters in header values
- Configure StrictHttpFirewall to accept valid UTF-8 encoded header values
- Fixes issue where Remote-User header with non-ASCII characters (e.g., "Dvořák")
  was rejected with 400 Bad Request even when authentication is disabled
- Also allow non-ASCII characters in parameter values for consistency

Fixes Stirling-Tools#5377
@Eruis2579 Eruis2579 force-pushed the fix/non-ascii-header-values-5377 branch from f6744d9 to dc69c7d Compare February 9, 2026 06:07
@dosubot dosubot bot added size:M This PR changes 30-99 lines ignoring generated files. and removed size:L This PR changes 100-499 lines ignoring generated files. labels Feb 9, 2026
@stirlingbot stirlingbot bot removed the Back End Issues related to back-end development label Feb 9, 2026
@Frooodle
Copy link
Member

Frooodle commented Feb 11, 2026

/deploypr

@stirlingbot stirlingbot bot added the pr-deployed Pull request has been deployed to a test environment label Feb 11, 2026
@stirlingbot
Copy link
Contributor

stirlingbot bot commented Feb 11, 2026

🚀 PR Test Deployment

Your PR has been deployed for testing!

🔗 Test URL: http://98.89.26.138:5699
Security Disabled

This deployment will be automatically cleaned up when the PR is closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Frooodle Frooodle Awaiting requested review from Frooodle Frooodle is a code owner

@Ludy87 Ludy87 Awaiting requested review from Ludy87 Ludy87 is a code owner

@jbrunton96 jbrunton96 Awaiting requested review from jbrunton96 jbrunton96 is a code owner

@ConnorYoh ConnorYoh Awaiting requested review from ConnorYoh ConnorYoh is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Java Pull requests that update Java code pr-deployed Pull request has been deployed to a test environment Security Security-related issues or pull requests size:M This PR changes 30-99 lines ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Error 400 when Remote-User contains non-ASCII characters even with authentication disabled

2 participants

@Eruis2579 @Frooodle