[jira] [Updated] (CXF-7287) Incorrect JSON decoding in JsonMapObjectReaderWriter when commas are used in value

Sun, 19 Mar 2017 15:16:30 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-7287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sergey Beryozkin updated CXF-7287:
----------------------------------
    Component/s: JAX-RS Security
                 JAX-RS

> Incorrect JSON decoding in JsonMapObjectReaderWriter when commas are used in 
> value
> ----------------------------------------------------------------------------------
>
>                 Key: CXF-7287
>                 URL: https://issues.apache.org/jira/browse/CXF-7287
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>    Affects Versions: 3.1.10
>         Environment: OSX, Tomcat8, Java8
>            Reporter: Boris Capitanu
>
> *Background*:
> Discovered when using JWT tokens. In 
> org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer there is a line of 
> code that reads:
> {code}
> JwtClaims theClaims = new 
> JwtClaims(getReader().fromJson(getDecodedJwsPayload()));
> {code}
> If the method "getDecodedJwsPayload()" returns a JSON string like:
> {noformat}
> "\"sub\":\"admin\",\"roles\":\"admin,user\",\"iss\":\"auth0\""
> {noformat}
> then the "fromJson" method returns an incorrect Map.
> *The Bug*
> The problem occurs in 
> org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter (defined in 
> cxf-rt-rs-json-basic-3.1.10.jar) in the _readJsonObjectAsSettable_ method. 
> Specifically, line 188 reads:
> {code}
> int commaIndex = getCommaIndex(json, sepIndex + j);
> {code}
> which will cause the wrong comma index to be found for the JSON key "roles" 
> in my example above (apparently commaIndex is used to find the "next json 
> key" position in the json string).  
> I'm also thinking that it's possible that line 166 could be a problem as 
> well, if a JSON value would ever contain an (escaped) quote character.
> This JSON parsing seems fragile... I wonder why a "standard" JSON library 
> wasn't used (perhaps just to not add an additional dependency?)
> Proper parsing of commas in JSON values is important for JWT purposes as the 
> constructor of 
> _org.apache.cxf.rs.security.jose.jaxrs.JwtTokenSecurityContext_ expects role 
> claims to be comma-separated.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to