Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8435

JsonMapObjectReaderWriter doesn't escape double quotes

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.4.1
    • 3.4.4, 3.3.11
    • JAX-RS
    • None
    • Unknown

    Description

      JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values. The method "toJsonInternal" appends String values without any modifications/checks.

       

      If the value of a claim contains double quotes, it's possible to manipulate the generated JSON. This is especially problematic if user supplied values are included.

       

      I've added an example program where the expiration of a JWT is set to 5 minutes. The value of the claim "userInput" is set to <<a","exp":9999999999,"b":"x>>.

      JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON body:  {"exp":1615227615,"userInput":"a","exp":9999999999,"b":"x"}

       

      If the parsing library (like CXF itself) overwrites duplicate claims, the last occurence of a claim wins. This allows a malicious user to manipulate server generated claims with his own values.

      Attachments

        1. TestJson.java
          1 kB
          Alonso Gonzalez

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. CXF-8434 JsonMapObjectReaderWriter doesn't escape double quotes

          • Major - Major loss of function.
          • Closed

          Activity

            People

              coheigea Colm O hEigeartaigh
              a.gonzalez Alonso Gonzalez
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: