Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1119: Malformed Base64 in cookie causes error 500 #1371

spring-issuemaster opened this Issue Mar 16, 2009 · 0 comments


None yet
1 participant

Burt Beckwith(Migrated from SEC-1119) said:

This came up during a penetration test where they were trying to force error 500 pages to determine extra system information.

When they sent in bad Base64 string, e.g. “0” or “65535”, the Base64.isArrayByteBase64() check in AbstractRememberMeServices.decodeCookie() is insufficient since it only checks that the characters are part of the Base64 alphabet, not that the string has a length divisible by 4 or other sanity checks.

The result is a runtime exception that’s not caught in AbstractRememberMeServices.autoLogin() so it propagates out as a 500 exception. Adding a check for RuntimeException would be consistent with the rest of the code:

        } catch (RuntimeException e) {
            cancelCookie(request, response);
            return null;

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment