Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log Forging in DispatcherServlet via requestURI [SPR-11591] #16215

Closed
spring-projects-issues opened this issue Mar 24, 2014 · 1 comment
Closed

Log Forging in DispatcherServlet via requestURI [SPR-11591] #16215

spring-projects-issues opened this issue Mar 24, 2014 · 1 comment
Assignees
Labels
in: web status: backported type: bug
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Mar 24, 2014

Darius Bohni opened SPR-11591 and commented

There is an security issue on line 843/844. An attacker can manipulate the log via malicious request.

The method doService extracts the URI from the request and uses it unvalidated.

Source:

logger.debug("DispatcherServlet with name '" + getServletName() + "'" + resumed +
		" processing " + request.getMethod() + " request for [" + requestUri + "]");

An attacker can forge the log by sending a request containing %0D%0A

Like: /app/home%0D%0AFAKE

The log will looks like:

08:34:50.145 [http-bio-8080-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'dispatcher' processing GET request for [/app/home
FAKE]

Affects: 3.2.8, 4.0.2

Referenced from: commits a2bdc28, 465ca24

Backported to: 3.2.9

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Mar 24, 2014

Juergen Hoeller commented

Good catch! For logging purposes in DispatcherServlet, we're using the encoded request URI as returned from HttpServletRequest.getRequestURI() now instead of UrlPathHelper's decoded one.

That said, since this is about debug logging only - which is never to be activated in a production system - the practical impact should be limited.

Juergen

@spring-projects-issues spring-projects-issues added type: bug status: backported in: web labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 4.0.3 milestone Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web status: backported type: bug
Projects
None yet
Development

No branches or pull requests

2 participants