You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Alonso Gonzalez (Jira)" <ji...@apache.org> on 2021/03/08 18:40:00 UTC

[jira] [Created] (CXF-8435) JsonMapObjectReaderWriter doesn't escape double quotes

Alonso Gonzalez created CXF-8435:
------------------------------------

             Summary: JsonMapObjectReaderWriter doesn't escape double quotes
                 Key: CXF-8435
                 URL: https://issues.apache.org/jira/browse/CXF-8435
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS
    Affects Versions: 3.4.1
            Reporter: Alonso Gonzalez
         Attachments: TestJson.java

JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values. The method "toJsonInternal" appends String values without any modifications/checks.

 

If the value of a claim contains double quotes, it's possible to manipulate the generated JSON. This is especially problematic if user supplied values are included.

 

I've added an example program where the expiration of a JWT is set to 5 minutes. The value of the claim "userInput" is set to <<a","exp":9999999999,"b":"x>>.

JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON body:  \{"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}

 

If the parsing library (like CXF itself) overwrites duplicate claims, the last occurence of a claim wins.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)