[jboss-jira] [JBoss JIRA] (ELY-1950) FORM authentication not working for URL encoded session IDs
Darran Lofthouse (Jira)
issues at jboss.org
Tue Apr 28 10:08:37 EDT 2020
[ https://issues.redhat.com/browse/ELY-1950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse updated ELY-1950:
----------------------------------
Security: (was: Security Issue)
> FORM authentication not working for URL encoded session IDs
> -----------------------------------------------------------
>
> Key: ELY-1950
> URL: https://issues.redhat.com/browse/ELY-1950
> Project: WildFly Elytron
> Issue Type: Bug
> Components: HTTP
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 1.12.0.CR1
>
>
> The session IDs are encoded as: -
> {code}
> /secure/j_security_check;jsessionid=kVzsBG9c3XxcOlzpa65ohiMeMNqXdSNQuOdvdpR3.flame
> {code}
> However the code that checks if this is a submission to j_security_check is: -
> {code:java}
> request.getRequestURI().getPath().endsWith(postLocation)
> {code}
> This code needs to trim the path at ';'
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list