With the introduction of the ability to specify which characters are forbidden by EJBCA (
ECA-3178), some parts of the code that used to assume all content gets stripped of some dangerous characters might not handle some of the input correctly.
I have identified at least one such case when enrolling for a JKS file (possibly PEM etc are affected as well):
1. Add end entity with username set to something like 'Branko ! Majic;' (the semi-colon is probably the important part since it's used as separator in affected HTTP header).
2. Go to the public web page, and request a certificate.
3. The suggested file name will be certreq, and not 'Branko ! Majic;'.
There might be other snippets here and there that are doing something similar. One that comes to my mind is the download of CA certificate/chain.