HttpServer API input validation issue
Daniel Fuchs
daniel.fuchs at oracle.com
Tue Oct 19 18:14:22 UTC 2021
Hi Attila,
Right - thanks. If realm contains a double quote that quote
should probably be quoted. This is a functional bug.
BasicAuthenticator has been in the JDK since JDK 6.
I have logged https://bugs.openjdk.java.net/browse/JDK-8275534
best regards,
-- daniel
On 19/10/2021 18:26, Attila Kelemen wrote:
> Hi,
>
> I was looking at the code of the new HttpServer API, and stumbled across
> the BasicAuthenticator class. As is currently, the "realm" field is neither
> validated, nor escaped before being put into the http header. I know that
> the risk that this will end up as a security problem is low (especially
> since this API is not supposed to be used in production), but I believe it
> would be best if this is addressed before release.
>
> Regards,
> Attila Kelemen
>
More information about the jdk-dev
mailing list