Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-845

checkForUtf8ByteOrderMark() will not detect BOM with some TLSv1 implementations

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.3
    • Fix Version/s: 2.1.4
    • Component/s: Core
    • Labels:
      None
    • Environment:
      All setups where first read() from the stream does not return at least three bytes + clients that send BOM.

      Description

      SWS-750 fixed data corruption when first read() from the stream returned just 1 or 2 bytes instead of all three.

      But the BOM removal functionality still won't work e.g. if the first byte is sent separately.

      I suggest a modification like this (haven't tested it):

         private InputStream checkForUtf8ByteOrderMark(InputStream inputStream) throws IOException {
             PushbackInputStream pushbackInputStream = new PushbackInputStream(new BufferedInputStream(inputStream), 3);
             byte[] bytes = new byte[3];
             int bytesRead = 0;
             // Ensure filling the buffer
             while (bytesRead < bytes.length) {
                 int n = pushbackInputStream.read(bytes, bytesRead, bytes.length - bytesRead);
                 if (n > 0) {
                     bytesRead += n;
                 } else {
                     break;
                 }
             }
             if (bytesRead > 0) {
                 // check for the UTF-8 BOM, and remove it if there. See SWS-393
                 if (!isByteOrderMark(bytes)) {
                     pushbackInputStream.unread(bytes, 0, bytesRead);
                 }
             }
             return pushbackInputStream;
         }

      The thing is that the read() call guarantees just one byte. And this situation isn't that rare - some implementations of TLSv1 really send the first byte separately, our customer had this problem with a WS client based on WinHttp.WinHttpRequest object on Windows 2008 R2. We had to workaround SWS-750 by forcing SSLv3 (before we learned that it is actually fixed).

      So if anybody had bad luck of having the TLSv1 + BOM issue, they would be affected.

      Hope this helps.

        Issue Links

          Activity

          martin.cizek Martin Cizek created issue -
          Hide
          martin.cizek Martin Cizek added a comment -

          I was too quick when submitting, may I ask for updating the subject to "checkForUtf8ByteOrderMark() will not detect BOM with some TLSv1 implementations"? Thanks.

          Show
          martin.cizek Martin Cizek added a comment - I was too quick when submitting, may I ask for updating the subject to "checkForUtf8ByteOrderMark() will not detect BOM with some TLSv1 implementations"? Thanks.
          arjen.poutsma Arjen Poutsma made changes -
          Field Original Value New Value
          Summary checkForUtf8ByteOrderMark checkForUtf8ByteOrderMark() will not detect BOM with some TLSv1 implementations
          arjen.poutsma Arjen Poutsma made changes -
          Assignee Arjen Poutsma [ arjen.poutsma ]
          arjen.poutsma Arjen Poutsma made changes -
          Fix Version/s 2.1.4 [ 14119 ]
          arjen.poutsma Arjen Poutsma made changes -
          Link This issue is related to SWS-750 [ SWS-750 ]
          arjen.poutsma Arjen Poutsma made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Resolved Resolved
          10d 22h 21m 1 Arjen Poutsma 20/Aug/13 3:37 AM

            People

            • Assignee:
              arjen.poutsma Arjen Poutsma
              Reporter:
              martin.cizek Martin Cizek
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: