[ 
https://issues.apache.org/jira/browse/CXF-6579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed CXF-6579.
------------------------------------

> Inflated tokens can be corrupted if compression ratio is greater than 2:1
> -------------------------------------------------------------------------
>
>                 Key: CXF-6579
>                 URL: https://issues.apache.org/jira/browse/CXF-6579
>             Project: CXF
>          Issue Type: Bug
>          Components: Core, JAX-RS Security
>    Affects Versions: 3.0.6, 2.7.17, 3.1.2
>            Reporter: Phillip Klinefelter
>            Assignee: Sergey Beryozkin
>            Priority: Critical
>             Fix For: 3.1.3, 2.7.18, 3.0.7
>
>
> DeflateEncoderDecoder/CompressionUtils inflate method assumes that the 
> compression ratio will be 2:1.  That assumption is not true for SAML tokens 
> with many similar attribute statements.  The inflated token will be corrupted 
> with a portion of the token replaced with null characters.
> https://github.com/apache/cxf/blob/cxf-2.7.17/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java#L34
> https://github.com/apache/cxf/blob/cxf-3.0.6/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java#L41
> https://github.com/apache/cxf/blob/cxf-3.1.2/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java#L41
> {code}
>     @Test
>     public void testInflateDeflateWithTokenDuplication() throws Exception {
>         String token = "valid_grant valid_grant valid_grant valid_grant 
> valid_grant valid_grant";
>         DeflateEncoderDecoder deflateEncoderDecoder = new 
> DeflateEncoderDecoder();
>         byte[] deflatedToken = 
> deflateEncoderDecoder.deflateToken(token.getBytes());
>         String cxfInflatedToken = IOUtils
>                 .toString(deflateEncoderDecoder.inflateToken(deflatedToken));
>         String streamInflatedToken = IOUtils.toString(
>                 new InflaterInputStream(new 
> ByteArrayInputStream(deflatedToken),
>                         new Inflater(true)));
>         assertThat(streamInflatedToken, is(token));
>         assertThat(cxfInflatedToken, is(token));
>     }
> {code}
> The stream inflated token is correct but the CXF inflated token is invalid.
> {code}
> java.lang.AssertionError: 
> Expected: is "valid_grant valid_grant valid_grant valid_grant valid_grant 
> valid_grant"
>      got: "t valid_grant valid_grant valid_grant"
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to