- edited description
ignore duplicates in http request check
Issue #394
resolved
Sometimes client frameworks create polluted authorization requests where they have not clean their parameters and this could lead to situations with duplicate parameter values, e.g. redirect_uri. In OIDC SDK 8x this is/was ignored.
With 9.x there is an exception even if values are the same value. We used SDK 8.x until now and would like to upgrade to 9.x. We received an issue where such requests where rejected.
I propose to check the input with a Set instead of a List in order to omit indirectly the duplicates
Comments (6)
-
reporter
-
reporter
- edited description
-
reporter
-
reporter
I see the check was introduced with 9.2 and I see a need for it, if values are different, but if multiple values in a parameter contain same content then this is no security issue to be but as explained often because the clients does not clean their own parameter construction and merge parameters from different sources together.
-
- changed status to open
Thanks for the report and the ready PR, will examine it now.
-
- changed status to resolved
Hi Markus,
The PR was merged and pushed out so you can continue work on your project.
version 9.37.3 (2022-07-04) * Updates MultivaluedMapUtils.getKeysWithMoreThanOneValue to treat keys that map to two or more identical values are treated as single-valued. Intended to work around authorisation and other requests from libraries that include multiple duplicate parameters values, for instance duplicate redirect_uri values (iss
#394). - Log in to comment
