[
https://issues.apache.org/jira/browse/CXF-6216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14292045#comment-14292045
]
Sergey Beryozkin commented on CXF-6216:
---------------------------------------
I guess in theory at least if a path matrix is used, there might be some scope
for an attack.
We do not use getRequestUri() to build an endpoint address as pointed out in
[1]. It is:
{code:java}
URI uri = URI.create(reqPrefix);
sb.append(uri.getScheme()).append("://").append(uri.getRawAuthority());
sb.append(request.getContextPath()).append(request.getServletPath());
{code}
I think it is safe.
It is interesting all right, thanks for sharing the links.
But if we do not see that the code is open for such an injection attack then
IMHO it is not an issue, definitely not a Bug.
IMHO we should re-qualify it it as Wish and do a resolution "Later". Unless
Colm, Dan have other ideas. I'll keep it open for a while.
[1] https://www.superevr.com/blog/2011/three-semicolon-vulnerabilities
> No output sanitizing in FormattedServiceListWriter
> ---------------------------------------------------
>
> Key: CXF-6216
> URL: https://issues.apache.org/jira/browse/CXF-6216
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.0.1
> Reporter: Donald Kwakkel
>
> No output sanitizing is done, which makes the code vulnerable for injection.
> I do not have a specific use case, but it is good habit to do. Maybe you can
> use the OWASP Sanitizer:
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> One example from the file:
> writer.write("<span class=\"field\">Endpoint address:</span> " +
> "<span class=\"value\">"
> + absoluteURL + "</span>");
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
