cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6216) No output sanitizing in FormattedServiceListWriter
Date Mon, 26 Jan 2015 16:41:34 GMT

    [ https://issues.apache.org/jira/browse/CXF-6216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14292045#comment-14292045
] 

Sergey Beryozkin commented on CXF-6216:
---------------------------------------

I guess in theory at least if a path matrix is used, there might be some scope for an attack.
We do not use getRequestUri() to build an endpoint address as pointed out in [1]. It is:
{code:java}
URI uri = URI.create(reqPrefix);
 sb.append(uri.getScheme()).append("://").append(uri.getRawAuthority());
 sb.append(request.getContextPath()).append(request.getServletPath());
{code}

I think it is safe.

It is interesting all right, thanks for sharing the links.

But if we do not see that the code is open for such an injection attack then IMHO it is not
an issue, definitely not a Bug.
IMHO we should re-qualify it it as Wish and do a resolution "Later". Unless Colm, Dan have
other ideas. I'll keep it open for a while.


[1] https://www.superevr.com/blog/2011/three-semicolon-vulnerabilities

> No output sanitizing in FormattedServiceListWriter 
> ---------------------------------------------------
>
>                 Key: CXF-6216
>                 URL: https://issues.apache.org/jira/browse/CXF-6216
>             Project: CXF
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 3.0.1
>            Reporter: Donald Kwakkel
>
> No output sanitizing is done, which makes the code vulnerable for injection. I do not
have a specific use case, but it is good habit to do. Maybe you can use the OWASP Sanitizer:
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> One example from the file: 
>         writer.write("<span class=\"field\">Endpoint address:</span> " +
"<span class=\"value\">"
>                      + absoluteURL + "</span>");



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message