[PUBLISHING-37] CRLF validation problem with Spring Security Created: 04/Jan/18  Updated: 02/Dec/22  Resolved: 02/Dec/22

Status: Closed
Project: Publishing
Component/s: None
Affects Version/s: 1.0.1
Fix Version/s: None

Type: Bug Priority: Low
Reporter: Davide Faroldi Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to PUBLISHING-45 Weblogic does not accept CRLF charact... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Team: Nucleus

 Description   

Hello,
I want to report a bug found using new Magnolia Publish Module in a web application with Spring Security. In the class "HeadersDispatcher" there's a method called "setResponseHeaders" which set "sa_attribute_message" with the label "publishing-receiver.headersDispatcher.error". The value of this label is "

[WEBAPP: {0}]*\n* Message: {1}]. 

Afterwards there's this spring security class that evaluate if http header value contains CR/LF (this is the class -> https://github.com/spring-projects/spring-security/pull/3938/commits/302dede75e8af5e920f637926a3283cf8be289bf ).
This process found the chars \n and throw an IllegalArgumentException that broke pubblication process. If you simply remove "\n" from the message it works.

In general the use of new line inside header is problematic because it is usually blocked due to security problems of http response splitting https://www.owasp.org/index.php/HTTP_Response_Splitting

Davide


Generated at Mon Feb 12 10:34:47 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.