HttpServer API input validation issue

Attila Kelemen attila.kelemen85 at
Tue Oct 19 17:26:54 UTC 2021


I was looking at the code of the new HttpServer API, and stumbled across
the BasicAuthenticator class. As is currently, the "realm" field is neither
validated, nor escaped before being put into the http header. I know that
the risk that this will end up as a security problem is low (especially
since this API is not supposed to be used in production), but I believe it
would be best if this is addressed before release.

Attila Kelemen

More information about the jdk-dev mailing list