Disable suffix pattern matching for Endpoints

Update EndpointHandlerMapping so that setUseSuffixPatternMatch is set to false. This prevents URLs of the form /beans.json from returning results and provides another line of defense against RDF attacks. Fixes gh-4402

Disable suffix pattern matching for Endpoints
Update EndpointHandlerMapping so that setUseSuffixPatternMatch is set to false. This prevents URLs of the form /beans.json from returning results and provides another line of defense against RDF attacks. Fixes gh-4402
09b5222f · Phillip Webb · 10d407a5 · 09b5222f
Commit 09b5222f authored Nov 12, 2015 by Phillip Webb
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

EndpointHandlerMapping.java ...ork/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java +1 -0

No files found.
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java
@@ -80,6 +80,7 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping {
 			CorsConfiguration corsConfiguration) {
 		this.endpoints = new HashSet<MvcEndpoint>(endpoints);
 		this.corsConfiguration = corsConfiguration;
+		setUseSuffixPatternMatch(false);
 		// By default the static resource handler mapping is LOWEST_PRECEDENCE - 1
 		// and the RequestMappingHandlerMapping is 0 (we ideally want to be before both)
 		setOrder(-100);