[ https://issues.apache.org/jira/browse/SLING-10421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Norman resolved SLING-10421. --------------------------------- Resolution: Fixed merged PR #4 at: [{{f06f71f}}|https://github.com/apache/sling-org-apache-sling-auth-form/commit/f06f71fcb4e1100375f8adbeb3d5e6e0a5c755ee] > validate configured and client supplied cookie domain value > ----------------------------------------------------------- > > Key: SLING-10421 > URL: https://issues.apache.org/jira/browse/SLING-10421 > Project: Sling > Issue Type: Sub-task > Reporter: Eric Norman > Assignee: Eric Norman > Priority: Major > Fix For: Form Based Authentication 1.0.22 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Sonar reports a potential security vulnerability related to the usage of the > client supplied cookie domain value to clear out the old formauth cookies > during logout. The sonar suggestion is to change this code to not echo this > user-controlled data in the response header. > > I propose these changes to FormAuthenticationHandler.CookieStorage: > # In CookieStorage#set validate that the supplied (or configured) cookie > domain value is valid for the request host. If the value is invalid, then > log a warning and send the cookie without any domain value. Previously, the > cookies are sent with an invalid domain and that results in login just > silently not working. The fallback of sending no domain should make the > login work and the log file would have the reason why no domain was sent. > # In CookieStorage#clear validate that the client supplied cookie domain > value is valid for the request host. If the value is invalid, than log a > warning and attempt to clear the cookies using the configured default cookie > domain (if any). Logout may still not work if the default cookie domain > isn't right, but the log file would have the reason instead of silently not > working. > -- This message was sent by Atlassian Jira (v8.3.4#803005)