Uploaded image for project: 'Publishing'
  1. Publishing
  2. PUBLISHING-37

CRLF validation problem with Spring Security

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Low
    • None
    • 1.0.1
    • None

    Description

      Hello,
      I want to report a bug found using new Magnolia Publish Module in a web application with Spring Security. In the class "HeadersDispatcher" there's a method called "setResponseHeaders" which set "sa_attribute_message" with the label "publishing-receiver.headersDispatcher.error". The value of this label is "

      [WEBAPP: {0}]*\n* Message: {1}]. 
      

      Afterwards there's this spring security class that evaluate if http header value contains CR/LF (this is the class -> https://github.com/spring-projects/spring-security/pull/3938/commits/302dede75e8af5e920f637926a3283cf8be289bf ).
      This process found the chars \n and throw an IllegalArgumentException that broke pubblication process. If you simply remove "\n" from the message it works.

      In general the use of new line inside header is problematic because it is usually blocked due to security problems of http response splitting https://www.owasp.org/index.php/HTTP_Response_Splitting

      Davide

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                Unassigned Unassigned
                davide.faroldi Davide Faroldi
                Nucleus
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD