cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Phillip Klinefelter (JIRA)" <>
Subject [jira] [Created] (CXF-6579) Inflated tokens can be corrupted if compression ratio is greater than 2:1
Date Fri, 04 Sep 2015 20:16:46 GMT
Phillip Klinefelter created CXF-6579:

             Summary: Inflated tokens can be corrupted if compression ratio is greater than
                 Key: CXF-6579
             Project: CXF
          Issue Type: Bug
          Components: Core, JAX-RS Security
    Affects Versions: 3.1.2, 2.7.17, 3.0.6
            Reporter: Phillip Klinefelter
            Priority: Critical

DeflateEncoderDecoder/CompressionUtils inflate method assumes that the compression ratio will
be 2:1.  That assumption is not true for SAML tokens with many similar attribute statements.
 The inflated token will be corrupted with a portion of the token replaced with null characters.

    public void testInflateDeflateWithTokenDuplication() throws Exception {
        String token = "valid_grant valid_grant valid_grant valid_grant valid_grant valid_grant";

        DeflateEncoderDecoder deflateEncoderDecoder = new DeflateEncoderDecoder();
        byte[] deflatedToken = deflateEncoderDecoder.deflateToken(token.getBytes());

        String cxfInflatedToken = IOUtils

        String streamInflatedToken = IOUtils.toString(
                new InflaterInputStream(new ByteArrayInputStream(deflatedToken),
                        new Inflater(true)));

        assertThat(streamInflatedToken, is(token));
        assertThat(cxfInflatedToken, is(token));

The stream inflated token is correct but the CXF inflated token is invalid.

Expected: is "valid_grant valid_grant valid_grant valid_grant valid_grant valid_grant"
     got: "t valid_grant valid_grant valid_grant"

This message was sent by Atlassian JIRA

View raw message