Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-4219

Keycloak should not allow matrix parameters in URLs as we don't use them [GHI#45533]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      No response

      Describe the bug

      As part of the JAX-RS features each path element allows RFC-compliant matrix parameters, although Keycloak is not using them anywhere. They are basically ignored.

      It would be good to not allow any matrix parameter to harden Keycloak until we actually make use of them.

      Version

      main

      Regression

      [ ] The issue is a regression

      Expected behavior

      Return a 400 response when there is a semicolon in the URL

      Actual behavior

      Matrix parameters are silently ignored.

      How to Reproduce?

      Use a semicolon in a URL

      Anything else?

      I'll prepare a PR

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Cloud Native
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: