coheigea opened a new pull request, #3142: URL: https://github.com/apache/cxf/pull/3142
JSON allows you to write any character using a backslash-u escape — for example, \u006e means the letter n. The CXF parser was ignoring these escapes completely and just returning the raw text. So if a JWT contained "alg":"\u006e\u006f\u006e\u0065", CXF's parser would give you the 24-character string \u006e\u006f\u006e\u0065 rather than the 4-character string none. CXF's own algorithm check would look at that ugly literal string, not recognise it as none, and pass it through — while a different, standards-compliant parser further down the chain would decode it correctly and see none, potentially disabling signature verification. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
