You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Alonso Gonzalez (Jira)" <ji...@apache.org> on 2021/03/08 18:19:00 UTC
[jira] [Created] (CXF-8434) JsonMapObjectReaderWriter doesn't
escape double quotes
Alonso Gonzalez created CXF-8434:
------------------------------------
Summary: JsonMapObjectReaderWriter doesn't escape double quotes
Key: CXF-8434
URL: https://issues.apache.org/jira/browse/CXF-8434
Project: CXF
Issue Type: Bug
Components: JAX-RS
Affects Versions: 3.4.1
Reporter: Alonso Gonzalez
Attachments: TestJson.java
JsonMapObjectReaderWriter doesn't escape double quotes when writing String values. The writer appends values using 'out.append(value.toString());' without any checks.
If the value of a JWT claim contains double quotes, it's possible to manipulate the serialized JSON. This is especially problematic if user supplied values are part of the JWT.
I've added an example program where the expiration of a token is set 5 minutes and a second claim named "additionalClaim" has the value: <<a","exp":9999999999,"b":"x>>
JsonMapObjectReaderWriter serializes this as:
{"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}
If the used JWT parser (like CXF itself) implements a "last key occurence wins" strategy. The expiration of the parsed JWT will be 9999999999.
Thus, if a
--
This message was sent by Atlassian Jira
(v8.3.4#803005)