whitelabel error page vulnerability

[girtsn]

Hello.
There is an SPEL injection problem (would consider it vulnerability) with whitelabel error page.
If encountering an error message that shows the used value and the used value contains SPEL expression, it will be evaluated server side.
The recommendation is to disable the whitelabel, but I suppose this should still get fixed.
Example:
Suppose you have a restful service that expects a parameter exactMatch=true/false implemented on Spring Boot framework. By default, if inputs are not validated and the whitelabel page is enabled, entering an expression e.g. exactMatch=test${SPEL}test SPEL would get executed if requested over text/html, since the error message includes the original value, e.g. java.lang.IllegalArgumentException: Invalid boolean value test${SPEL}test

[philwebb]

Thanks for reporting this one! I think I have a fix but I'd very much appreciate another pair of eyes on it. Could you try the latest SNAPSHOT version and let me know if things are now OK?