Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8434

JsonMapObjectReaderWriter doesn't escape double quotes

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 3.4.1
    • Fix Version/s: None
    • Component/s: JAX-RS
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      JsonMapObjectReaderWriter doesn't escape double quotes when writing String values. The writer appends values using 'out.append(value.toString());' without any checks.

      If the value of a JWT claim contains double quotes, it's possible to manipulate the serialized JSON. This is especially problematic if user supplied values are part of the JWT.

       

      I've added an example program where the expiration of a token is set 5 minutes and a second claim named "additionalClaim" has the value: <<a","exp":9999999999,"b":"x>>

      JsonMapObjectReaderWriter serializes this as:

      {"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}

      If the used JWT parser (like CXF itself) implements a "last key occurence wins" strategy. The expiration of the parsed JWT will be 9999999999.

       

       

      Thus, if a 

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                a.gonzalez Alonso Gonzalez
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: