[
https://issues.apache.org/jira/browse/SLING-10421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Norman updated SLING-10421:
--------------------------------
Description:
Sonar reports a potential security vulnerability related to the usage of the
client supplied cookie domain value to clear out the old formauth cookies
during logout. The sonar suggestion is to change this code to not echo this
user-controlled data in the response header.
I propose these changes to FormAuthenticationHandler.CookieStorage:
# In CookieStorage#set validate that the supplied (or configured) cookie
domain value is valid for the request host. If the value is invalid, then log
a warning and send the cookie without any domain value. Previously, the
cookies are sent with an invalid domain and that results in login just silently
not working. The fallback of sending no domain should make the login work and
the log file would have the reason why no domain was sent.
# In CookieStorage#clear validate that the client supplied cookie domain value
is valid for the request host. If the value is invalid, than log a warning and
attempt to clear the cookies using the configured default cookie domain (if
any). Logout may still not work if the default cookie domain isn't right, but
the log file would have the reason instead of silently not working.
was:
Sonar reports a potential security vulnerability related to the usage of the
client supplied cookie domain value to clear out the old formauth cookies
during logout. The sonar suggestion is to change this code to not echo this
user-controlled data in the response header.
I propose these changes to FormAuthenticationHandler.CookieStorage: # In
CookieStorage#set validate that the supplied (or configured) cookie domain
value is valid for the request host. If the value is invalid, then log a
warning and send the cookie without any domain value. Previously, the cookies
are sent with an invalid domain and that results in login just silently not
working. The fallback of sending no domain should make the login work and the
log file would have the reason why no domain was sent.
# In CookieStorage#clear validate that the client supplied cookie domain value
is valid for the request host. If the value is invalid, than log a warning and
attempt to clear the cookies using the configured default cookie domain (if
any). Logout may still not work if the default cookie domain isn't right, but
the log file would have the reason instead of silently not working.
> validate configured and client supplied cookie domain value
> -----------------------------------------------------------
>
> Key: SLING-10421
> URL: https://issues.apache.org/jira/browse/SLING-10421
> Project: Sling
> Issue Type: Sub-task
> Reporter: Eric Norman
> Assignee: Eric Norman
> Priority: Major
> Fix For: Form Based Authentication 1.0.22
>
>
> Sonar reports a potential security vulnerability related to the usage of the
> client supplied cookie domain value to clear out the old formauth cookies
> during logout. The sonar suggestion is to change this code to not echo this
> user-controlled data in the response header.
>
> I propose these changes to FormAuthenticationHandler.CookieStorage:
> # In CookieStorage#set validate that the supplied (or configured) cookie
> domain value is valid for the request host. If the value is invalid, then
> log a warning and send the cookie without any domain value. Previously, the
> cookies are sent with an invalid domain and that results in login just
> silently not working. The fallback of sending no domain should make the
> login work and the log file would have the reason why no domain was sent.
> # In CookieStorage#clear validate that the client supplied cookie domain
> value is valid for the request host. If the value is invalid, than log a
> warning and attempt to clear the cookies using the configured default cookie
> domain (if any). Logout may still not work if the default cookie domain
> isn't right, but the log file would have the reason instead of silently not
> working.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
