You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Alonso Gonzalez (Jira)" <ji...@apache.org> on 2021/03/08 18:19:00 UTC

[jira] [Created] (CXF-8434) JsonMapObjectReaderWriter doesn't escape double quotes

Alonso Gonzalez created CXF-8434:
------------------------------------

             Summary: JsonMapObjectReaderWriter doesn't escape double quotes
                 Key: CXF-8434
                 URL: https://issues.apache.org/jira/browse/CXF-8434
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS
    Affects Versions: 3.4.1
            Reporter: Alonso Gonzalez
         Attachments: TestJson.java

JsonMapObjectReaderWriter doesn't escape double quotes when writing String values. The writer appends values using 'out.append(value.toString());' without any checks.

If the value of a JWT claim contains double quotes, it's possible to manipulate the serialized JSON. This is especially problematic if user supplied values are part of the JWT.

 

I've added an example program where the expiration of a token is set 5 minutes and a second claim named "additionalClaim" has the value: <<a","exp":9999999999,"b":"x>>

JsonMapObjectReaderWriter serializes this as:

{"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}

If the used JWT parser (like CXF itself) implements a "last key occurence wins" strategy. The expiration of the parsed JWT will be 9999999999.

 

 

Thus, if a 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)