Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 26950200C3A for ; Fri, 17 Mar 2017 02:43:48 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 25341160B8B; Fri, 17 Mar 2017 01:43:48 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7033D160B78 for ; Fri, 17 Mar 2017 02:43:47 +0100 (CET) Received: (qmail 47629 invoked by uid 500); 17 Mar 2017 01:43:46 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 47618 invoked by uid 99); 17 Mar 2017 01:43:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Mar 2017 01:43:46 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 35B631A071B for ; Fri, 17 Mar 2017 01:43:46 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.651 X-Spam-Level: X-Spam-Status: No, score=0.651 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_NEUTRAL=0.652] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id gKmOhuZdNUJr for ; Fri, 17 Mar 2017 01:43:45 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 8283B5FB79 for ; Fri, 17 Mar 2017 01:43:44 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 2707AE008E for ; Fri, 17 Mar 2017 01:43:43 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 49ADF24162 for ; Fri, 17 Mar 2017 01:43:42 +0000 (UTC) Date: Fri, 17 Mar 2017 01:43:41 +0000 (UTC) From: "Boris Capitanu (JIRA)" To: issues@cxf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (CXF-7287) Incorrect JSON decoding in JsonMapObjectReaderWriter when commas are used in value MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 17 Mar 2017 01:43:48 -0000 Boris Capitanu created CXF-7287: ----------------------------------- Summary: Incorrect JSON decoding in JsonMapObjectReaderWriter when commas are used in value Key: CXF-7287 URL: https://issues.apache.org/jira/browse/CXF-7287 Project: CXF Issue Type: Bug Affects Versions: 3.1.7 Environment: OSX, Tomcat8, Java8 Reporter: Boris Capitanu *Background*: Discovered when using JWT tokens. In org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer there is a line of code that reads: {code} JwtClaims theClaims = new JwtClaims(getReader().fromJson(getDecodedJwsPayload())); {code} If the method "getDecodedJwsPayload()" returns a JSON string like: {noformat} "\"sub\":\"admin\",\"roles\":\"admin,user\",\"iss\":\"auth0\"" {noformat} then the "fromJson" method returns an incorrect Map. *The Bug* The problem occurs in org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter (defined in cxf-rt-rs-json-basic-3.1.7.jar) in the _readJsonObjectAsSettable_ method. Specifically, line 188 reads: {code} int commaIndex = getCommaIndex(json, sepIndex + j); {code} which will cause the wrong comma index to be found for the JSON key "roles" in my example above (apparently commaIndex is used to find the "next json key" position in the json string). I'm also thinking that it's possible that line 166 could be a problem as well, if a JSON value would ever contain an (escaped) quote character. This JSON parsing seems fragile... I wonder why a "standard" JSON library wasn't used (perhaps just to not add an additional dependency?) Proper parsing of commas in JSON values is important for JWT purposes as the constructor of _org.apache.cxf.rs.security.jose.jaxrs.JwtTokenSecurityContext_ expects role claims to be comma-separated. -- This message was sent by Atlassian JIRA (v6.3.15#6346)