cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6216) No output sanitizing in FormattedServiceListWriter
Date Fri, 04 Nov 2016 16:13:59 GMT

    [ https://issues.apache.org/jira/browse/CXF-6216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15636852#comment-15636852
] 

Sergey Beryozkin commented on CXF-6216:
---------------------------------------

https://issues.apache.org/jira/browse/CXF-7128 has been created to review the possibility
of using OWASP sanitizers.

The 'matrix param' attack has been fixed by removing all the matrix parameters from the absolute
URL which is built by ServletController with the help of BaseUrlHelper. This constitutes a
concrete form of sanitizing the URI.  

> No output sanitizing in FormattedServiceListWriter 
> ---------------------------------------------------
>
>                 Key: CXF-6216
>                 URL: https://issues.apache.org/jira/browse/CXF-6216
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.0.1
>            Reporter: Donald Kwakkel
>            Assignee: Sergey Beryozkin
>            Priority: Critical
>             Fix For: 3.2.0, 3.1.9, 3.0.12
>
>
> No output sanitizing is done, which makes the code vulnerable for injection. I do not
have a specific use case, but it is good habit to do. Maybe you can use the OWASP Sanitizer:
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> One example from the file: 
>         writer.write("<span class=\"field\">Endpoint address:</span> " +
"<span class=\"value\">"
>                      + absoluteURL + "</span>");



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message