fix UTF-8 headers

core/src/main/java/de/bstly/we/security/SecurityConfig.java

@@ -3,8 +3,10 @@
  */
 package de.bstly.we.security;
 
+import java.io.UnsupportedEncodingException;
 import java.util.Collections;
 import java.util.List;
+import java.util.regex.Pattern;
 
 import javax.sql.DataSource;
 
@@ -27,6 +29,7 @@ import org.springframework.security.web.authentication.rememberme.JdbcTokenRepos
 import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;
 import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
+import org.springframework.security.web.firewall.StrictHttpFirewall;
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
@@ -297,4 +300,21 @@ public class SecurityConfig {
 		return rememberMeServices;
 	}
 
+	@Bean
+	public StrictHttpFirewall httpFirewall() {
+		StrictHttpFirewall firewall = new StrictHttpFirewall();
+		Pattern allowed = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*");
+		firewall.setAllowedHeaderValues((header) -> {
+			String parsed;
+			try {
+				parsed = new String(header.getBytes("ISO_8859_1"), "UTF_8");
+				return allowed.matcher(parsed).matches();
+			} catch (UnsupportedEncodingException e) {
+				e.printStackTrace();
+			}
+			return allowed.matcher(header).matches();
+		});
+		return firewall;
+	}
+
 }

pom.xml

@@ -13,7 +13,7 @@
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<java.version>11</java.version>
 		<log4j2.version>2.19.0</log4j2.version>
-		<revision>2.0.0-SNAPSHOT</revision>
+		<revision>2.0.1-SNAPSHOT</revision>
 	</properties>
 
 	<parent>