Hello all,
While pentesting one of our servers, I came across a "String index out of range: -1" exception in method findCharset() at org.apache.cxf.helpers.HttpHeaderHelper. I have checked the code in latest version apache-cxf-3.1.6 and the problem is still there: 93 if (charset.charAt(0) == '\"') { 94 charset = charset.substring(1, charset.length() - 1); 95 } Previous line check on charset length does not return null as charset variable still contains the quote. Then, the next substring operation assumes that if charset starts with double quote, the length of the string is greater than one, so 'invalid' input like: Content-Type: application/x-www-form-urlencoded; charset=" Content-Type: application/x-www-form-urlencoded; charset=";utf-8 " . Will trigger this exception on server side, as translated into an charset.substring( 1, 0 ). Nothing exploitable from the security point of view, though. If I permit myself to comment, a possible fix to avoid getting this method too messy, could be to strip off quotes before the charset.isEmpty() check, then if charset is empty it will return null, otherwise it will return charset with no need for further substring operations. Regards, Marcos
smime.p7s
Description: S/MIME cryptographic signature