Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1790: URL spring-security-redirect parameters vulnerable to CRLF injection by default. #2014

Closed
spring-projects-issues opened this issue Jul 25, 2011 · 3 comments

Comments

@spring-projects-issues
Copy link

@spring-projects-issues spring-projects-issues commented Jul 25, 2011

David Mas (Migrated from SEC-1790) said:

AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl(HttpServletRequest, HttpServletResponse) calls URLDecoder.decode, and the result is directly feed to DefaultRedirectStrategy by default, which does not filter line feeds, injecting a custom header after "Location"

Request:
GET
/mywebapp/logout/spring-security-redirect=%0d%0a%20SomeCustomInjectedHeader%3ainjected_
by_wvs HTTP/1.1

Response:
HTTP/1.1 302 Moved Temporarily
Date: Tue, 19 Jul 2011 15:28:57 GMT
Location: xxxxxxxxxxxxxxx
SomeCustomInjectedHeader: injected_by_wvs
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injectino of custom HTTP headers.

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Jul 25, 2011

David Mas said:

I have also made a fix by extending DefaultRedirectStrategy. It would be nice this redirectStrategy is injected instead of the default one.

public class CrlfFilteringRedirectStrategy extends DefaultRedirectStrategy {

/**
 * @see org.springframework.security.web.DefaultRedirectStrategy#sendRedirect(javax.servlet.http.HttpServletRequest,
 *      javax.servlet.http.HttpServletResponse, java.lang.String)
 */
@Override
public void sendRedirect(final HttpServletRequest request,
        final HttpServletResponse response, final String url)
        throws IOException {
    String filteredUrl = url.replaceAll("\\n|\\r", "");
    super.sendRedirect(request, response, filteredUrl);
}

}

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Jul 27, 2011

Luke Taylor said:

Thanks for the report.

I think this is probably best addressed in a standard response wrapper which is injected into the filter chain by the FilterChainProxy. This will cover all attempts to redirect to an invalid location rather than just those which use the default redirect strategy. In future we should also support pluggable request and response validation strategies (allowing, for example, the use of the ESAPI validator as an option) rather than attempting to provide a generic blacklist.

Also, please use the guidelines at http://www.springsource.com/security if reporting a vulnerability which may put existing users at risk.

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Aug 19, 2011

Luke Taylor said:

The redirect location is now sanitized in a FirewalledResponse class which wraps the response. Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant