Handle setHeader null values in response wrappers by therepanic · Pull Request #18971 · spring-projects/spring-security · GitHub
Skip to content

Handle setHeader null values in response wrappers#18971

Closed
therepanic wants to merge 1 commit into
spring-projects:mainfrom
therepanic:gh-18970
Closed

Handle setHeader null values in response wrappers#18971
therepanic wants to merge 1 commit into
spring-projects:mainfrom
therepanic:gh-18970

Conversation

@therepanic

@therepanic therepanic commented Mar 23, 2026

Copy link
Copy Markdown
Contributor

The main problem is that HttpServletResponse, according to its contract, accepts null values in setHeader. When an argument is null, we must remove the header. So, the main idea is to make these arguments @Nullable in our implementations and handle cases where they are null as described in the contract.

By the way, some methods, such as addHeader in the same interface, can also accept null by contract, but in that case, we don't have to do anything. I think we're handling this correctly now, and we can afford to make their arguments nonnullable, as is now.

https://github.com/jakartaee/servlet/blob/main/api/src/main/java/jakarta/servlet/http/HttpServletResponse.java#L306

Closes: gh-18970

The main problem is that `HttpServletResponse`, according to its contract,
accepts null values in `setHeader`. When an argument is null,
we must remove the header. So, the main idea is to make these arguments
`@Nullable` in our implementations and handle cases where they are null as
described in the contract.

By the way, some methods, such as `addHeader` in the same interface, can
also accept null by contract, but in that case, we don't have to do
anything. I think we're handling this correctly now, and we can afford
to make their arguments nonnullable, as is now.

Closes: spring-projectsgh-18970

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
Comment on lines +54 to 57

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We just need to mark it as @Nullable because if value is null, validateCrlf will work as expected anyway.

@rwinch rwinch removed the status: waiting-for-triage An issue we've not yet triaged label Mar 26, 2026
@rwinch rwinch self-assigned this Mar 26, 2026
@rwinch

rwinch commented Mar 26, 2026

Copy link
Copy Markdown
Member

@rwinch rwinch closed this Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OnCommittedResponseWrapper#setHeader does not properly handle null value

3 participants