You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Phillip Klinefelter (JIRA)" <ji...@apache.org> on 2015/09/04 22:16:46 UTC
[jira] [Created] (CXF-6579) Inflated tokens can be corrupted if
compression ratio is greater than 2:1
Phillip Klinefelter created CXF-6579:
----------------------------------------
Summary: Inflated tokens can be corrupted if compression ratio is greater than 2:1
Key: CXF-6579
URL: https://issues.apache.org/jira/browse/CXF-6579
Project: CXF
Issue Type: Bug
Components: Core, JAX-RS Security
Affects Versions: 3.1.2, 2.7.17, 3.0.6
Reporter: Phillip Klinefelter
Priority: Critical
DeflateEncoderDecoder/CompressionUtils inflate method assumes that the compression ratio will be 2:1. That assumption is not true for SAML tokens with many similar attribute statements. The inflated token will be corrupted with a portion of the token replaced with null characters.
https://github.com/apache/cxf/blob/cxf-2.7.17/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java#L34
https://github.com/apache/cxf/blob/cxf-3.0.6/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java#L41
https://github.com/apache/cxf/blob/cxf-3.1.2/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java#L41
{code}
@Test
public void testInflateDeflateWithTokenDuplication() throws Exception {
String token = "valid_grant valid_grant valid_grant valid_grant valid_grant valid_grant";
DeflateEncoderDecoder deflateEncoderDecoder = new DeflateEncoderDecoder();
byte[] deflatedToken = deflateEncoderDecoder.deflateToken(token.getBytes());
String cxfInflatedToken = IOUtils
.toString(deflateEncoderDecoder.inflateToken(deflatedToken));
String streamInflatedToken = IOUtils.toString(
new InflaterInputStream(new ByteArrayInputStream(deflatedToken),
new Inflater(true)));
assertThat(streamInflatedToken, is(token));
assertThat(cxfInflatedToken, is(token));
}
{code}
The stream inflated token is correct but the CXF inflated token is invalid.
{code}
java.lang.AssertionError:
Expected: is "valid_grant valid_grant valid_grant valid_grant valid_grant valid_grant"
got: "t valid_grant valid_grant valid_grant"
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)