Alonso Gonzalez created CXF-8434:
------------------------------------
Summary: JsonMapObjectReaderWriter doesn't escape double quotes
Key: CXF-8434
URL: https://issues.apache.org/jira/browse/CXF-8434
Project: CXF
Issue Type: Bug
Components: JAX-RS
Affects Versions: 3.4.1
Reporter: Alonso Gonzalez
Attachments: TestJson.java
JsonMapObjectReaderWriter doesn't escape double quotes when writing String
values. The writer appends values using 'out.append(value.toString());' without
any checks.
If the value of a JWT claim contains double quotes, it's possible to manipulate
the serialized JSON. This is especially problematic if user supplied values are
part of the JWT.
I've added an example program where the expiration of a token is set 5 minutes
and a second claim named "additionalClaim" has the value:
<<a","exp":9999999999,"b":"x>>
JsonMapObjectReaderWriter serializes this as:
{"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}
If the used JWT parser (like CXF itself) implements a "last key occurence wins"
strategy. The expiration of the parsed JWT will be 9999999999.
Thus, if a
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
