cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Commented] (CXF-6579) Inflated tokens can be corrupted if compression ratio is greater than 2:1
Date Sun, 06 Sep 2015 18:22:45 GMT


Sergey Beryozkin commented on CXF-6579:

Thanks for the test, I've introduced a 'deflate.level' contextual property. At the moment
the default is the Deflater.DEFLATE which can be set to 0, etc, if needed.

Should a level be set to 0 by default if no contextual property is available. I guess it might
be sensitive if somehow we have a client or server having different deflate level expectations,
so it is better be configurable, just not sure how sensitive it can be if we set it to 0 by
default after the code used a different level...Probably should keep as is but in in this
case setting a 'deflate.level' to something else would fix it, Phillip, does it fork for you

> Inflated tokens can be corrupted if compression ratio is greater than 2:1
> -------------------------------------------------------------------------
>                 Key: CXF-6579
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: Core, JAX-RS Security
>    Affects Versions: 3.0.6, 2.7.17, 3.1.2
>            Reporter: Phillip Klinefelter
>            Priority: Critical
> DeflateEncoderDecoder/CompressionUtils inflate method assumes that the compression ratio
will be 2:1.  That assumption is not true for SAML tokens with many similar attribute statements.
 The inflated token will be corrupted with a portion of the token replaced with null characters.
> {code}
>     @Test
>     public void testInflateDeflateWithTokenDuplication() throws Exception {
>         String token = "valid_grant valid_grant valid_grant valid_grant valid_grant valid_grant";
>         DeflateEncoderDecoder deflateEncoderDecoder = new DeflateEncoderDecoder();
>         byte[] deflatedToken = deflateEncoderDecoder.deflateToken(token.getBytes());
>         String cxfInflatedToken = IOUtils
>                 .toString(deflateEncoderDecoder.inflateToken(deflatedToken));
>         String streamInflatedToken = IOUtils.toString(
>                 new InflaterInputStream(new ByteArrayInputStream(deflatedToken),
>                         new Inflater(true)));
>         assertThat(streamInflatedToken, is(token));
>         assertThat(cxfInflatedToken, is(token));
>     }
> {code}
> The stream inflated token is correct but the CXF inflated token is invalid.
> {code}
> java.lang.AssertionError: 
> Expected: is "valid_grant valid_grant valid_grant valid_grant valid_grant valid_grant"
>      got: "t valid_grant valid_grant valid_grant"
> {code}

This message was sent by Atlassian JIRA

View raw message