Hi everyone,
I am running an application on Apache Karaf 4.4.10 (Linux environment). We
have noticed a specific behavior regarding line endings that is causing
some concerns during a security audit.
*Observation:* While our source configuration files in the /etc/ directory
correctly use Unix line endings (LF), the persisted files generated by the
system in the cache directory (specifically under
/data/cache/bundleXX/data/config/...) appear with Windows line endings
(CRLF / ^M characters).
The bundle associated with this cache is org.apache.felix.configadmin.
*Security Concern:* An external auditor is flagging this as "configuration
contamination," suggesting that these hidden \r characters could alter the
real value of properties or lead to unpredictable behavior in production.
*Could you please clarify the following?*
1.
Is it standard/expected behavior for the Felix Configuration Admin to
persist .config files in the cache using CRLF, regardless of the host OS?
2.
Does the Karaf/Felix parser explicitly handle or strip these characters
when loading properties into memory, ensuring that the actual variable
values remain "clean"?
3.
Is there any known security or operational risk associated with this
internal persistence format?
We would appreciate an official technical view to provide peace of mind to
our security department.
--
Saludos:
Luis Lozano.
