-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Unicode normalization can lead to open redirect #5777
Comments
@chmodxxx This looks serious. Can you specify how exactly you parse the redirect uri? What client connector do you use (default, netty...)? Do you use some custom logic that includes the work with UriBuilder? |
The Location header for What container does Jersey run at in your case? |
@jansupol Thanks for looking into this, I don't think our custom logic to validate/parse is relevant for this case, I have created an endpoint that has this only logic :
We have this custom Response interface and the logic roughly looks like this :
|
Any updates ? |
I have tested this with multiple web servers. Jersey pases the location header to the server without modifying the unicode character. |
Description
We are facing the following behaviour , we have the following endpoint that returns a redirect response via :
return Response.seeOther("https://www.google.com☣@example.org");
Normally this should redirect the user to
example.org
, however it is not the case the redirection goes towww.google.com
.You can use any unicode character that ends with 23 (e.g
\u2523
), jakarta will do some sort of normalization in the response headers and convert the unicode character to a literal # causing the legitimate domain to be interpreted as fragment.Problem
This is a big problem when having an Oauth endpoint using jakarta, the normal implementation would be to take redirect_uri from User input and validate the host, and then redirect to the target domain. The problem here is when parsing this redirect uri in java "https://www.malicious.com☣@legitimate.com" the host will be legitimate.com but the redirection via
seeOther()
will send the user to malicious.com, which will result in an open redirect in oauth flows.The text was updated successfully, but these errors were encountered: