[
https://issues.apache.org/jira/browse/CXF-7287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15932824#comment-15932824
]
Sergey Beryozkin commented on CXF-7287:
---------------------------------------
As far as the possible support for an encoded double quote is concerned I'd
rather look into it when there's a good practical case for it is found. You are
right JSON values may have such encoded characters in general, but having them
in JWT token claim values appears to be very unusual to me, and there's always
an option to use an escaped unicode sequence representing a double quote if
really needed.
thanks
> Incorrect JSON decoding in JsonMapObjectReaderWriter when commas are used in
> value
> ----------------------------------------------------------------------------------
>
> Key: CXF-7287
> URL: https://issues.apache.org/jira/browse/CXF-7287
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Affects Versions: 3.1.10
> Environment: OSX, Tomcat8, Java8
> Reporter: Boris Capitanu
> Assignee: Sergey Beryozkin
> Fix For: 3.2.0, 3.1.11
>
>
> *Background*:
> Discovered when using JWT tokens. In
> org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer there is a line of
> code that reads:
> {code}
> JwtClaims theClaims = new
> JwtClaims(getReader().fromJson(getDecodedJwsPayload()));
> {code}
> If the method "getDecodedJwsPayload()" returns a JSON string like:
> {noformat}
> "\"sub\":\"admin\",\"roles\":\"admin,user\",\"iss\":\"auth0\""
> {noformat}
> then the "fromJson" method returns an incorrect Map.
> *The Bug*
> The problem occurs in
> org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter (defined in
> cxf-rt-rs-json-basic-3.1.10.jar) in the _readJsonObjectAsSettable_ method.
> Specifically, line 188 reads:
> {code}
> int commaIndex = getCommaIndex(json, sepIndex + j);
> {code}
> which will cause the wrong comma index to be found for the JSON key "roles"
> in my example above (apparently commaIndex is used to find the "next json
> key" position in the json string).
> I'm also thinking that it's possible that line 166 could be a problem as
> well, if a JSON value would ever contain an (escaped) quote character.
> This JSON parsing seems fragile... I wonder why a "standard" JSON library
> wasn't used (perhaps just to not add an additional dependency?)
> Proper parsing of commas in JSON values is important for JWT purposes as the
> constructor of
> _org.apache.cxf.rs.security.jose.jaxrs.JwtTokenSecurityContext_ expects role
> claims to be comma-separated.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
