Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8217

StackOverflow if double quotes present

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 3.2.7
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      When a double quote is present in a HTTP header, a StackOverflow is thrown by CXF.

      If this header is passed: 

      Forwarded=[for=192.168.0.1;host=localhost;proto=http;proto-version=""],

      It will cause a StackOverflow error:

      08:14:03.035 [XNIO-2 task-2] WARN  o.a.cxf.phase.PhaseInterceptorChain - Interceptor for {http://www.mytest.com/services/business/logOn/v1}logOnServicePortService#{http://www.mytest.com/services/business/logOn/v1}logOnService has thrown exception, unwinding now08:14:03.035 [XNIO-2 task-2] WARN  o.a.cxf.phase.PhaseInterceptorChain - Interceptor for {http://www.mytest.com/services/business/logOn/v1}logOnServicePortService#{http://www.mytest.com/services/business/logOn/v1}logOnService has thrown exception, unwinding noworg.apache.cxf.interceptor.Fault: null
          at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:144)
          at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
          at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
          at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
          at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
          at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
          at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
          at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
          at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
          at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:706)
          at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
          at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
          at org.springframework.boot.web.filter.ApplicationContextHeaderFilter.doFilterInternal(ApplicationContextHeaderFilter.java:55)
          at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
          at org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:111)
          at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
          at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
          at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
          at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
          at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
          at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
          at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
          at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
          at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
          at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103)
          at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
          at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
          at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
          at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
          at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
          at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
          at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
          at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
          at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
          at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
          at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
          at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
          at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
          at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
          at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
          at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
          at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
          at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
          at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
          at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
          at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
          at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
          at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.StackOverflowError: null
          at java.util.regex.Pattern$LazyLoop.match(Pattern.java:4857)
          at java.util.regex.Pattern$GroupTail.match(Pattern.java:4731)
          at java.util.regex.Pattern$BranchConn.match(Pattern.java:4582)
          at java.util.regex.Pattern$CharProperty.match(Pattern.java:3791)
          at java.util.regex.Pattern$Branch.match(Pattern.java:4618)
          at java.util.regex.Pattern$GroupHead.match(Pattern.java:4672)
          at java.util.regex.Pattern$LazyLoop.match(Pattern.java:4861)
          at java.util.regex.Pattern$GroupTail.match(Pattern.java:4731)
          at java.util.regex.Pattern$BranchConn.match(Pattern.java:4582)
          at java.util.regex.Pattern$CharProperty.match(Pattern.java:3791)
          at java.util.regex.Pattern$Branch.match(Pattern.java:4618)
          at java.util.regex.Pattern$GroupHead.match(Pattern.java:4672)
          at java.util.regex.Pattern$LazyLoop.match(Pattern.java:4861)
          at java.util.regex.Pattern$GroupTail.match(Pattern.java:4731)
          at java.util.regex.Pattern$BranchConn.match(Pattern.java:4582)
          at java.util.regex.Pattern$CharProperty.match(Pattern.java:3791)
          at java.util.regex.Pattern$Branch.match(Pattern.java:4618)
          at java.util.regex.Pattern$GroupHead.match(Pattern.java:4672)
          at java.util.regex.Pattern$LazyLoop.match(Pattern.java:4861)
          at java.util.regex.Pattern$GroupTail.match(Pattern.java:4731)
          at java.util.regex.Pattern$BranchConn.match(Pattern.java:4582)
          at java.util.regex.Pattern$CharProperty.match(Pattern.java:3791)
          at java.util.regex.Pattern$Branch.match(Pattern.java:4618)
          at java.util.regex.Pattern$GroupHead.match(Pattern.java:4672)
          at java.util.regex.Pattern$LazyLoop.match(Pattern.java:4861)
          at java.util.regex.Pattern$GroupTail.match(Pattern.java:4731)
          at java.util.regex.Pattern$BranchConn.match(Pattern.java:4582)
          at java.util.regex.Pattern$CharProperty.match(Pattern.java:3791)
      

      If the header is passed without double quotes:

      Forwarded=[for=192.168.0.1;host=localhost;proto=http;proto-version=],

      The service works correctly.

      This issue is caused by the bug in the Openshift router [#8|https://github.com/openshift/router/pull/8], however the presence of double quotes should not cause a StackOverfow error.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mrbq Marcos Rivas
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: