[jira] [Comment Edited] (HTTPCLIENT-2337) Potentially unsafe logging of X500Principal in SSLConnectionSocketFactory

Thu, 05 Sep 2024 03:18:06 -0700 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17879506#comment-17879506
 ] 

Michael Osipov edited comment on HTTPCLIENT-2337 at 9/5/24 10:12 AM:
---------------------------------------------------------------------

I see at least three ways to approach this:

* Get the DER value and process manually with Kerby ASN.1 to process 
non-printable chars
* Parse as {{LdapName}} and process {{RDNs}} separately
* For the poor:
{code:java}
                String value = 
toExtendedRFC2253String(x509Cert.getSubjectX500Principal());
                StringBuilder sb = new StringBuilder();
                for (char c : value.toCharArray()) {
                        if (Character.isISOControl(c)) {
                                sb.append("\\x").append(String.format("%02x", 
(int) c));
                        } else {
                                sb.append(c);
                        }
                }

                System.out.println(sb);
{code}
Output:
{code}
CN=\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08This🙈CN🌴Has\x09Ctrl\x08And\x0cOtherSpecial\x0aChars\\x0d,O=Test
{code}


was (Author: michael-o):
I see at least three ways to approach this:

* Get the DER value and process manually with Kerby ASN.1 to process 
non-printable chars
* Parse as {{LdapName}} and process {{RDNs}} separately
* For the poor:
{code:java}
                String value = 
toExtendedRFC2253String(x509Cert.getSubjectX500Principal());
                StringBuilder sb = new StringBuilder();
                for (char c : value.toCharArray()) {
                        if (Character.isISOControl(c)) {
                                sb.append("\\x").append(String.format("%02x", 
(int) c));
                        } else {
                                sb.append(c);
                        }
                }

                System.out.println(sb);
{code}

> Potentially unsafe logging of X500Principal in SSLConnectionSocketFactory
> -------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-2337
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2337
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>    Affects Versions: 4.5.14, 5.3.1, 5.4-beta1
>            Reporter: Winfried Gerlach
>            Priority: Major
>             Fix For: 5.4-beta2
>
>         Attachments: example-cert.pem, image-2024-09-03-08-43-06-757.png
>
>
> We noticed that in both Apache HTTP Client 4.x and 5.x, 
> {{SSLConnectionSocketFactory}} logs the X500Principal on DEBUG level without 
> sanitizing the fields. If, e.g., the CN contains control characters like 
> {{\b}} or {{{}\n{}}}, this could be used by an attacker to tamper with the 
> log of the application (remove stuff, add line breaks etc.).
> !image-2024-09-03-08-43-06-757.png!
> In the screenshot, the CN has a \b after "Control", so the last letter "l" is 
> removed from the log.
> We don't consider this behavior particularly dangerous because it happens on 
> debug level only and the logger can also be turned off completely if needed.
> You may still want to think about sanitizing the RDN values before logging or 
> somehow avoiding to log the X500Principal completely.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to