You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Alonso Gonzalez (Jira)" <ji...@apache.org> on 2021/03/08 18:40:00 UTC
[jira] [Created] (CXF-8435) JsonMapObjectReaderWriter doesn't
escape double quotes
Alonso Gonzalez created CXF-8435:
------------------------------------
Summary: JsonMapObjectReaderWriter doesn't escape double quotes
Key: CXF-8435
URL: https://issues.apache.org/jira/browse/CXF-8435
Project: CXF
Issue Type: Bug
Components: JAX-RS
Affects Versions: 3.4.1
Reporter: Alonso Gonzalez
Attachments: TestJson.java
JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values. The method "toJsonInternal" appends String values without any modifications/checks.
If the value of a claim contains double quotes, it's possible to manipulate the generated JSON. This is especially problematic if user supplied values are included.
I've added an example program where the expiration of a JWT is set to 5 minutes. The value of the claim "userInput" is set to <<a","exp":9999999999,"b":"x>>.
JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON body: \{"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}
If the parsing library (like CXF itself) overwrites duplicate claims, the last occurence of a claim wins.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)