Hi Luis, Thanks for the report.
To clarify, the Karaf configuration repository uses .cfg files. The .config files in the cache are managed directly by Felix ConfigAdmin and are not controlled by Karaf. The Karaf and Felix configuration readers are designed to handle special characters, including these line terminators. I do not see a security risk here; it appears to be more of an encoding issue, likely stemming from the service itself. I will investigate if there is a way to address this behavior. Regards, JB On Mon, Mar 23, 2026 at 9:47 PM Luis Lozano <[email protected]> wrote: > Hi everyone, > > I am running an application on Apache Karaf 4.4.10 (Linux environment). We > have noticed a specific behavior regarding line endings that is causing > some concerns during a security audit. > > *Observation:* While our source configuration files in the /etc/ > directory correctly use Unix line endings (LF), the persisted files > generated by the system in the cache directory (specifically under > /data/cache/bundleXX/data/config/...) appear with Windows line endings > (CRLF / ^M characters). > > The bundle associated with this cache is org.apache.felix.configadmin. > > *Security Concern:* An external auditor is flagging this as > "configuration contamination," suggesting that these hidden \r characters > could alter the real value of properties or lead to unpredictable behavior > in production. > > *Could you please clarify the following?* > > 1. > > Is it standard/expected behavior for the Felix Configuration Admin to > persist .config files in the cache using CRLF, regardless of the host > OS? > 2. > > Does the Karaf/Felix parser explicitly handle or strip these > characters when loading properties into memory, ensuring that the actual > variable values remain "clean"? > 3. > > Is there any known security or operational risk associated with this > internal persistence format? > > We would appreciate an official technical view to provide peace of mind to > our security department. > -- > Saludos: > Luis Lozano. >
