Spring Security
  1. Spring Security
  2. SEC-1119

Malformed Base64 in cookie causes error 500

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      This came up during a penetration test where they were trying to force error 500 pages to determine extra system information.

      When they sent in bad Base64 string, e.g. "0" or "65535", the Base64.isArrayByteBase64() check in AbstractRememberMeServices.decodeCookie() is insufficient since it only checks that the characters are part of the Base64 alphabet, not that the string has a length divisible by 4 or other sanity checks.

      The result is a runtime exception that's not caught in AbstractRememberMeServices.autoLogin() so it propagates out as a 500 exception. Adding a check for RuntimeException would be consistent with the rest of the code:

              } catch (RuntimeException e) {
                  cancelCookie(request, response);
                  logger.debug(e.getMessage());
                  return null;
              }
      

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Burt Beckwith
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: