HttpServer API input validation issue
Attila Kelemen
attila.kelemen85 at gmail.com
Tue Oct 19 17:26:54 UTC 2021
Hi,
I was looking at the code of the new HttpServer API, and stumbled across
the BasicAuthenticator class. As is currently, the "realm" field is neither
validated, nor escaped before being put into the http header. I know that
the risk that this will end up as a security problem is low (especially
since this API is not supposed to be used in production), but I believe it
would be best if this is addressed before release.
Regards,
Attila Kelemen
More information about the jdk-dev
mailing list