Eric Norman created SLING-10421:
-----------------------------------

             Summary: validate configured and client supplied cookie domain 
value
                 Key: SLING-10421
                 URL: https://issues.apache.org/jira/browse/SLING-10421
             Project: Sling
          Issue Type: Sub-task
            Reporter: Eric Norman
            Assignee: Eric Norman
             Fix For: Form Based Authentication 1.0.22


Sonar reports a potential security vulnerability related to the usage of the 
client supplied cookie domain value to clear out the old formauth cookies 
during logout.  The sonar suggestion is to change this code to not echo this 
user-controlled data in the response header.
 
I propose these changes to FormAuthenticationHandler.CookieStorage: # In 
CookieStorage#set validate that the supplied (or configured) cookie domain 
value is valid for the request host.  If the value is invalid, then log a 
warning and send the cookie without any domain value.   Previously, the cookies 
are sent with an invalid domain and that results in login just silently not 
working.  The fallback of sending no domain should make the login work and the 
log file would have the reason why no domain was sent.
 # In CookieStorage#clear validate that the client supplied cookie domain value 
is valid for the request host.  If the value is invalid, than log a warning and 
attempt to clear the cookies using the configured default cookie domain (if 
any).  Logout may still not work if the default cookie domain isn't right, but 
the log file would have the reason instead of silently not working.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to