Skip to content

[3.34] Strip matrix parameters from request paths during HTTP security polic…#53933

Merged
gsmet merged 1 commit intoquarkusio:3.34from
gsmet:matrix-3.34
May 4, 2026
Merged

[3.34] Strip matrix parameters from request paths during HTTP security polic…#53933
gsmet merged 1 commit intoquarkusio:3.34from
gsmet:matrix-3.34

Conversation

@gsmet
Copy link
Copy Markdown
Member

@gsmet gsmet commented May 4, 2026

…y matching

Matrix parameters (semicolon-delimited values in URL path segments, e.g. /api;v=1/resource) could bypass HTTP security policy path matching. This commit strips matrix parameters before matching across all security-relevant paths: HTTP policy matcher, Keycloak policy enforcer, OIDC tenant resolver, CSRF filter, and Undertow servlet policy.

Additionally, the build now fails if an HTTP security policy path contains a literal semicolon character.

@cescoffier @gsmet
Strip matrix parameters from request paths during HTTP security polic…
abd9885 
…y matching

Matrix parameters (semicolon-delimited values in URL path segments, e.g.
/api;v=1/resource) could bypass HTTP security policy path matching. This
commit strips matrix parameters before matching across all security-relevant
paths: HTTP policy matcher, Keycloak policy enforcer, OIDC tenant resolver,
CSRF filter, and Undertow servlet policy.

Additionally, the build now fails if an HTTP security policy path contains
a literal semicolon character.
@quarkus-bot quarkus-bot Bot changed the title Strip matrix parameters from request paths during HTTP security polic… [3.34] Strip matrix parameters from request paths during HTTP security polic… May 4, 2026
@quarkus-bot
Copy link
Copy Markdown

quarkus-bot Bot commented May 4, 2026

Thanks for your pull request!

Your pull request does not follow our editorial rules. Could you have a look?

  • title should not end up with ellipsis (make sure the title is complete)

This message is automatically generated by a bot.

@gastaldi gastaldi added the triage/waiting-for-ci Ready to merge when CI successfully finishes label May 4, 2026
@quarkus-bot
Copy link
Copy Markdown

quarkus-bot Bot commented May 4, 2026

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit abd9885.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 4, 2026
edited
Loading

🙈 The PR is closed and the preview is expired.

@gsmet gsmet merged commit c36e913 into quarkusio:3.34 May 4, 2026
52 of 65 checks passed
@quarkus-bot quarkus-bot Bot removed the triage/waiting-for-ci Ready to merge when CI successfully finishes label May 4, 2026
@gsmet gsmet added this to the 3.34.7 milestone May 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gastaldi gastaldi gastaldi approved these changes

@geoand geoand geoand approved these changes

Assignees

No one assigned

Labels

area/docstyle issues related for manual docstyle review area/documentation area/keycloak area/oidc area/rest area/resteasy-classic area/security area/undertow area/vertx

Projects

None yet

Milestone

3.34.7

Development

Successfully merging this pull request may close these issues.

4 participants

@gsmet @gastaldi @geoand @cescoffier