Hello all,
While pentesting one of our servers, I came across a "String index out of
range: -1" exception in method findCharset() at
org.apache.cxf.helpers.HttpHeaderHelper.
I have checked the code in latest version apache-cxf-3.1.6 and the problem
is still there:
93 if (charset.charAt(0) == '\"') {
94 charset = charset.substring(1, charset.length() - 1);
95 }
Previous line check on charset length does not return null as charset
variable still contains the quote.
Then, the next substring operation assumes that if charset starts with
double quote, the length of the string is greater than one, so 'invalid'
input like:
Content-Type: application/x-www-form-urlencoded; charset="
Content-Type: application/x-www-form-urlencoded; charset=";utf-8 "
.
Will trigger this exception on server side, as translated into an
charset.substring( 1, 0 ).
Nothing exploitable from the security point of view, though.
If I permit myself to comment, a possible fix to avoid getting this method
too messy, could be to strip off quotes before the charset.isEmpty() check,
then if charset is empty it will return null, otherwise it will return
charset with no need for further substring operations.
Regards,
Marcos
smime.p7s
Description: S/MIME cryptographic signature
