[SWS-845] checkForUtf8ByteOrderMark() will not detect BOM with some TLSv1 implementations Created: 09/Aug/13  Updated: 20/Aug/13  Resolved: 20/Aug/13

Status: Resolved
Project: Spring Web Services
Component/s: Core
Affects Version/s: 2.1.3
Fix Version/s: 2.1.4

Type: Bug Priority: Major
Reporter: Martin Cizek Assignee: Arjen Poutsma
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

All setups where first read() from the stream does not return at least three bytes + clients that send BOM.

Issue Links:
is related to SWS-750 SaajSoapMessageFactory's checkForUtf8... Closed
Reference URL: http://stackoverflow.com/questions/13528021/java-ssl-streaming-splitted-applicationdata


SWS-750 fixed data corruption when first read() from the stream returned just 1 or 2 bytes instead of all three.

But the BOM removal functionality still won't work e.g. if the first byte is sent separately.

I suggest a modification like this (haven't tested it):

   private InputStream checkForUtf8ByteOrderMark(InputStream inputStream) throws IOException {
       PushbackInputStream pushbackInputStream = new PushbackInputStream(new BufferedInputStream(inputStream), 3);
       byte[] bytes = new byte[3];
       int bytesRead = 0;
       // Ensure filling the buffer
       while (bytesRead < bytes.length) {
           int n = pushbackInputStream.read(bytes, bytesRead, bytes.length - bytesRead);
           if (n > 0) {
               bytesRead += n;
           } else {
       if (bytesRead > 0) {
           // check for the UTF-8 BOM, and remove it if there. See SWS-393
           if (!isByteOrderMark(bytes)) {
               pushbackInputStream.unread(bytes, 0, bytesRead);
       return pushbackInputStream;

The thing is that the read() call guarantees just one byte. And this situation isn't that rare - some implementations of TLSv1 really send the first byte separately, our customer had this problem with a WS client based on WinHttp.WinHttpRequest object on Windows 2008 R2. We had to workaround SWS-750 by forcing SSLv3 (before we learned that it is actually fixed).

So if anybody had bad luck of having the TLSv1 + BOM issue, they would be affected.

Hope this helps.

Comment by Martin Cizek [ 09/Aug/13 ]

I was too quick when submitting, may I ask for updating the subject to "checkForUtf8ByteOrderMark() will not detect BOM with some TLSv1 implementations"? Thanks.

Generated at Sat Dec 15 08:52:07 UTC 2018 using JIRA 7.9.2#79002-sha1:3bb15b68ecd99a30eb364c4c1a393359bcad6278.