Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-17486

ELY23045: Unable to create redirect response

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 26.1.2.Final
    • Security
    • None
    • Hide

      Trigger org.wildfly.security.http.oidc.OidcRequestAuthenticator.getRedirectUri() method using a URL containing a parameter value with a + encoded space or %2B encoded plus and it'll be unencoded to an actual space resulting in an java.net.URISyntaxException: Illegal character in query.

      https://github.com/wildfly-security/wildfly-elytron/blob/0ac3b88a5b755b4ebfe947a20f4dd75a157aa5ec/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java#L160

      I think this was working in Wildfly 16 without the Elytron redirect.

      The redirect appears to be triggered if I start Wildfly with "-b 0.0.0.0" and then navigate my web browser to Wildfly using the workstation IP address. It doesn't trigger if I just use localhost.

      Show
      Trigger org.wildfly.security.http.oidc.OidcRequestAuthenticator.getRedirectUri() method using a URL containing a parameter value with a + encoded space or %2B encoded plus and it'll be unencoded to an actual space resulting in an java.net.URISyntaxException: Illegal character in query. https://github.com/wildfly-security/wildfly-elytron/blob/0ac3b88a5b755b4ebfe947a20f4dd75a157aa5ec/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java#L160 I think this was working in Wildfly 16 without the Elytron redirect. The redirect appears to be triggered if I start Wildfly with "-b 0.0.0.0" and then navigate my web browser to Wildfly using the workstation IP address. It doesn't trigger if I just use localhost.
    • ---
    • ---

    Description

      Navigating to a Wildfly URL that triggers a redirect with a URL that contains application/x-www-form-urlencoded MIME format characters (such as a space encoded as a + or %2B) can result in an ELY23045 exception.   Browsing the Elytron source code on GitHub I noticed some suspicious code - invoking URLDecoder.decode on an entire URI doesn't seem right as it should only be used on individual URL parameters:

      https://github.com/wildfly-security/wildfly-elytron/blob/0ac3b88a5b755b4ebfe947a20f4dd75a157aa5ec/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcHttpFacade.java#L208

      Exception is caught and thrown again here: 

      https://github.com/wildfly-security/wildfly-elytron/blob/0ac3b88a5b755b4ebfe947a20f4dd75a157aa5ec/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java#L191

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. ELY-2516 Keycloak is not decoding properly the redirect uri with special characters

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Open
          is related to

          Bug - A problem that impairs or prevents the functions of the product. ELY-2340 lost viewparams in redirect_uri

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Pull Request Sent
          relates to

          Bug - A problem that impairs or prevents the functions of the product. ELY-2533 Relative "auth-server-url"-property can be problematic for requests with params

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Open

          Activity

            People

              fjuma1@redhat.com Farah Juma
              slominskir Ryan Slominski
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: