[
https://issues.apache.org/jira/browse/SLING-10421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Norman resolved SLING-10421.
---------------------------------
Resolution: Fixed
merged PR #4 at:
[{{f06f71f}}|https://github.com/apache/sling-org-apache-sling-auth-form/commit/f06f71fcb4e1100375f8adbeb3d5e6e0a5c755ee]
> validate configured and client supplied cookie domain value
> -----------------------------------------------------------
>
> Key: SLING-10421
> URL: https://issues.apache.org/jira/browse/SLING-10421
> Project: Sling
> Issue Type: Sub-task
> Reporter: Eric Norman
> Assignee: Eric Norman
> Priority: Major
> Fix For: Form Based Authentication 1.0.22
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Sonar reports a potential security vulnerability related to the usage of the
> client supplied cookie domain value to clear out the old formauth cookies
> during logout. The sonar suggestion is to change this code to not echo this
> user-controlled data in the response header.
>
> I propose these changes to FormAuthenticationHandler.CookieStorage:
> # In CookieStorage#set validate that the supplied (or configured) cookie
> domain value is valid for the request host. If the value is invalid, then
> log a warning and send the cookie without any domain value. Previously, the
> cookies are sent with an invalid domain and that results in login just
> silently not working. The fallback of sending no domain should make the
> login work and the log file would have the reason why no domain was sent.
> # In CookieStorage#clear validate that the client supplied cookie domain
> value is valid for the request host. If the value is invalid, than log a
> warning and attempt to clear the cookies using the configured default cookie
> domain (if any). Logout may still not work if the default cookie domain
> isn't right, but the log file would have the reason instead of silently not
> working.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
