Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3302

Escaping of user-provided data when no characters are forbidden

    Details

    • Issue discovered during:
      Testing

      Description

      With the introduction of the ability to specify which characters are forbidden by EJBCA (ECA-3178), some parts of the code that used to assume all content gets stripped of some dangerous characters might not handle some of the input correctly.

      I have identified at least one such case when enrolling for a JKS file (possibly PEM etc are affected as well):

      1. Add end entity with username set to something like 'Branko ! Majic;' (the semi-colon is probably the important part since it's used as separator in affected HTTP header).

      2. Go to the public web page, and request a certificate.

      3. The suggested file name will be certreq, and not 'Branko ! Majic;'.

      There might be other snippets here and there that are doing something similar. One that comes to my mind is the download of CA certificate/chain.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas Tomas Gustavsson
              Reporter:
              branko Branko Majic (Inactive)
              Verified by:
              Samuel Lidén Borell
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: