Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-17486

ELY23045: Unable to create redirect response

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 26.1.2.Final
    • Security
    • None
    • Hide

      Trigger org.wildfly.security.http.oidc.OidcRequestAuthenticator.getRedirectUri() method using a URL containing a parameter value with a + encoded space or %2B encoded plus and it'll be unencoded to an actual space resulting in an java.net.URISyntaxException: Illegal character in query.

      https://github.com/wildfly-security/wildfly-elytron/blob/0ac3b88a5b755b4ebfe947a20f4dd75a157aa5ec/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java#L160

      I think this was working in Wildfly 16 without the Elytron redirect.

      The redirect appears to be triggered if I start Wildfly with "-b 0.0.0.0" and then navigate my web browser to Wildfly using the workstation IP address. It doesn't trigger if I just use localhost.

      Show
      Trigger org.wildfly.security.http.oidc.OidcRequestAuthenticator.getRedirectUri() method using a URL containing a parameter value with a + encoded space or %2B encoded plus and it'll be unencoded to an actual space resulting in an java.net.URISyntaxException: Illegal character in query. https://github.com/wildfly-security/wildfly-elytron/blob/0ac3b88a5b755b4ebfe947a20f4dd75a157aa5ec/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java#L160 I think this was working in Wildfly 16 without the Elytron redirect. The redirect appears to be triggered if I start Wildfly with "-b 0.0.0.0" and then navigate my web browser to Wildfly using the workstation IP address. It doesn't trigger if I just use localhost.
    • ---
    • ---

      Navigating to a Wildfly URL that triggers a redirect with a URL that contains application/x-www-form-urlencoded MIME format characters (such as a space encoded as a + or %2B) can result in an ELY23045 exception.   Browsing the Elytron source code on GitHub I noticed some suspicious code - invoking URLDecoder.decode on an entire URI doesn't seem right as it should only be used on individual URL parameters:

      https://github.com/wildfly-security/wildfly-elytron/blob/0ac3b88a5b755b4ebfe947a20f4dd75a157aa5ec/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcHttpFacade.java#L208

      Exception is caught and thrown again here: 

      https://github.com/wildfly-security/wildfly-elytron/blob/0ac3b88a5b755b4ebfe947a20f4dd75a157aa5ec/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcRequestAuthenticator.java#L191

              fjuma1@redhat.com Farah Juma
              slominskir Ryan Slominski (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: