-
Bug
-
Resolution: Won't Do
-
Low
-
None
-
1.0.1
-
None
Hello,
I want to report a bug found using new Magnolia Publish Module in a web application with Spring Security. In the class "HeadersDispatcher" there's a method called "setResponseHeaders" which set "sa_attribute_message" with the label "publishing-receiver.headersDispatcher.error". The value of this label is "
[WEBAPP: {0}]*\n* Message: {1}].
Afterwards there's this spring security class that evaluate if http header value contains CR/LF (this is the class -> https://github.com/spring-projects/spring-security/pull/3938/commits/302dede75e8af5e920f637926a3283cf8be289bf ).
This process found the chars \n and throw an IllegalArgumentException that broke pubblication process. If you simply remove "\n" from the message it works.
In general the use of new line inside header is problematic because it is usually blocked due to security problems of http response splitting https://www.owasp.org/index.php/HTTP_Response_Splitting
Davide
- relates to
-
PUBLISHING-45 Weblogic does not accept CRLF characters set in header
- Closed