Ajax update fails due to invalid characters in response XML (DoS)

Question

Ajax update fails due to invalid characters in response XML (DoS)

cnsgithub opened this issue 6 years ago · 9 comments

I noticed that the <f:ajax /> update fails when the updated form contains unicode characters like \u000C, which are not allowed in the XML 1.0 spec.

1) Environment

WildFly 14.0.1
Mojarra 2.3.5.SP2
JDK10

2) Expected Behaviour

If the update response contains characters that are not allowed in XML, they should be filtered by Mojarra before writing the response.

3) Actual Behaviour

Illegal XML characters are not filtered and therefore the browser fails to parse the response. The ajax oncomplete handler tries to read the responseXml field from the XMLHttpRequest (see jsf.js). Because the XML contained invalid characters, the browser was not able to parse the response, which causes the responseXML to be null.

4) Steps to reproduce

I created a small github project to reproduce this behaviour: https://github.com/cnsgithub/mojarra-ajax
To reproduce:

git clone https://github.com/cnsgithub/mojarra-ajax
run mvn package wildfly:run
after the server has started, open http://localhost:8080/ajax/index.xhtml
Click the button, the error should occur

The issue also occurs with user supplied inputs:

open http://localhost:8080/ajax/input.xhtml
Enter the \u000C character into the input field
Click the button

Issue #4145 also seems to describe this problem for an older mojarra version.

This issue should be addressed with high priority since it is security related (might be exploited for Denial of Service).

cnsgithub commented 6 years ago

PR: #4517

Answer 1 · 2018-11-27T06:33:15.000Z

Since my PR has been closed, you might use the servlet filter workaround committed here: https://github.com/cnsgithub/mojarra-ajax/blob/master/src/main/java/main/IllegalXmlCharactersFilter.java

Answer 2 · 2019-01-05T03:29:04.000Z

I have deployed the sample application to Payara 5.183, and the same problematic behavior occurs. I am not sure why PR4517 was closed, but I will review it to see if it resolves the issue.

Answer 3 · 2019-01-22T12:44:45.000Z

Submitted PR4534, which includes fixes originally developed by @cnsgithub

Answer 4 · 2021-02-07T01:31:40.000Z

This issue is stale because it has been open 2 years with no activity. Remove stale label or comment or this will be closed in 30 days

Answer 5 · 2021-02-08T19:37:04.000Z

This issue is stale because it has been open 2 years with no activity. Remove stale label or comment or this will be closed in 30 days

Still no comment on the PR.

Answer 6 · 2022-05-24T18:33:12.000Z

Does this PR need to be resubmitted or something? Wondering why this was never merged?

Answer 7 · 2022-05-24T22:19:03.000Z

@melloware the submitter closed it in favour of IQSS/dataverse#8242

Answer 8 · 2022-05-29T17:12:27.000Z

Was already fixed during #5036