Spring Security
  1. Spring Security
  2. SEC-1790

URL spring-security-redirect parameters vulnerable to CRLF injection by default.

    Details

      Description

      AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl(HttpServletRequest, HttpServletResponse) calls URLDecoder.decode, and the result is directly feed to DefaultRedirectStrategy by default, which does not filter line feeds, injecting a custom header after "Location"

      Request:
      GET
      /mywebapp/logout/spring-security-redirect=%0d%0a%20SomeCustomInjectedHeader%3ainjected_
      by_wvs HTTP/1.1

      Response:
      HTTP/1.1 302 Moved Temporarily
      Date: Tue, 19 Jul 2011 15:28:57 GMT
      Location: xxxxxxxxxxxxxxx
      SomeCustomInjectedHeader: injected_by_wvs
      Content-Length: 0
      Connection: close
      Content-Type: text/plain; charset=UTF-8

      You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injectino of custom HTTP headers.

        Activity

        Hide
        David Mas added a comment -

        I have also made a fix by extending DefaultRedirectStrategy. It would be nice this redirectStrategy is injected instead of the default one.

        public class CrlfFilteringRedirectStrategy extends DefaultRedirectStrategy {

        /**

        • @see org.springframework.security.web.DefaultRedirectStrategy#sendRedirect(javax.servlet.http.HttpServletRequest,
        • javax.servlet.http.HttpServletResponse, java.lang.String)
          */
          @Override
          public void sendRedirect(final HttpServletRequest request,
          final HttpServletResponse response, final String url)
          throws IOException { String filteredUrl = url.replaceAll("\\n|\\r", ""); super.sendRedirect(request, response, filteredUrl); }

        }

        Show
        David Mas added a comment - I have also made a fix by extending DefaultRedirectStrategy. It would be nice this redirectStrategy is injected instead of the default one. public class CrlfFilteringRedirectStrategy extends DefaultRedirectStrategy { /** @see org.springframework.security.web.DefaultRedirectStrategy#sendRedirect(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String) */ @Override public void sendRedirect(final HttpServletRequest request, final HttpServletResponse response, final String url) throws IOException { String filteredUrl = url.replaceAll("\\n|\\r", ""); super.sendRedirect(request, response, filteredUrl); } }
        Hide
        Luke Taylor added a comment -

        Thanks for the report.

        I think this is probably best addressed in a standard response wrapper which is injected into the filter chain by the FilterChainProxy. This will cover all attempts to redirect to an invalid location rather than just those which use the default redirect strategy. In future we should also support pluggable request and response validation strategies (allowing, for example, the use of the ESAPI validator as an option) rather than attempting to provide a generic blacklist.

        Also, please use the guidelines at http://www.springsource.com/security if reporting a vulnerability which may put existing users at risk.

        Show
        Luke Taylor added a comment - Thanks for the report. I think this is probably best addressed in a standard response wrapper which is injected into the filter chain by the FilterChainProxy. This will cover all attempts to redirect to an invalid location rather than just those which use the default redirect strategy. In future we should also support pluggable request and response validation strategies (allowing, for example, the use of the ESAPI validator as an option) rather than attempting to provide a generic blacklist. Also, please use the guidelines at http://www.springsource.com/security if reporting a vulnerability which may put existing users at risk.
        Hide
        Luke Taylor added a comment -

        The redirect location is now sanitized in a FirewalledResponse class which wraps the response. Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.

        Show
        Luke Taylor added a comment - The redirect location is now sanitized in a FirewalledResponse class which wraps the response. Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            David Mas
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: