Hide Forgot
Description of problem: After execution of following URL got unrecoverable error message. Version-Release number of selected component (if applicable): 10.2.6-10.el7pki How reproducible: Always Steps to Reproduce: 1. Authenticate with a CA agent certificate. 2. The following url is being used to test Cross-Site Scripting nonce parameter. 3. In the browser paste the following url with your CA's host and agent port. https://hostname:<secure-port>/ca/agent/ca/profileProcess?requestId=%20%2b%20requestId%20%2b%20&' + recordSet[i].defListSet[j].defId + '='%20%2b%20escapeValue(recordSet%5bi%5d.defListSet%5bj%5d.defVal)%20%2b% 20'&' + recordSet[i].defListSet[j].defId + '='%20%2b%20recordSet%5bi% 5d.defListSet%5bj%5d.defVal%20%2b%20'&' + recordSet[i].defListSet[j].defId + '='%20%2b%20recordSet%5bi%5d.defListSet%5bj%5d.defVal%20%2b%20'&' + recordSet[i].defListSet[j].defId + '='%20%2b%20recordSet%5bi%5d.defListSet% 5bj%5d.defVal%20%2b%20'&' + recordSet[i].defListSet[j].defId + '=%20%2b%20c% 5bk%5d%20%2b%20&' + recordSet[i].defListSet[j].defId + '=false&requestNotes='%20%2b%20requestNotes%20%2b%20'&op=unassign&nonce= %5c%22%22%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%35%31%32%31%33%29%3c%2f% 73%43%72%49%70%54%3e&submit=submit Actual results: The Certificate System has encountered an unrecoverable error. Error Message: java.lang.NumberFormatException: Illegal embedded sign character Please contact your local administrator for assistance. Expected results: Additional info:
(In reply to Amol K from comment #0) > Description of problem: > > After execution of following URL got unrecoverable error message. > > > Version-Release number of selected component (if applicable): > 10.2.6-10.el7pki > > How reproducible: > Always > > Steps to Reproduce: > 1. Authenticate with a CA agent certificate. > 2. The following url is being used to test Cross-Site Scripting nonce > parameter. > 3. In the browser paste the following url with your CA's host and agent port. > > https://hostname:<secure-port>/ca/agent/ca/ > profileProcess?requestId=%20%2b%20requestId%20%2b%20&' + > recordSet[i].defListSet[j].defId + > '='%20%2b%20escapeValue(recordSet%5bi%5d.defListSet%5bj%5d.defVal)%20%2b% > 20'&' + recordSet[i].defListSet[j].defId + '='%20%2b%20recordSet%5bi% > 5d.defListSet%5bj%5d.defVal%20%2b%20'&' + recordSet[i].defListSet[j].defId + > '='%20%2b%20recordSet%5bi%5d.defListSet%5bj%5d.defVal%20%2b%20'&' + > recordSet[i].defListSet[j].defId + '='%20%2b%20recordSet%5bi%5d.defListSet% > 5bj%5d.defVal%20%2b%20'&' + recordSet[i].defListSet[j].defId + '=%20%2b%20c% > 5bk%5d%20%2b%20&' + recordSet[i].defListSet[j].defId + > '=false&requestNotes='%20%2b%20requestNotes%20%2b%20'&op=unassign&nonce= > %5c%22%22%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%35%31%32%31%33%29%3c%2f% > 73%43%72%49%70%54%3e&submit=submit > > > Actual results: > > > The Certificate System has encountered an unrecoverable error. > > Error Message: > java.lang.NumberFormatException: Illegal embedded sign character > > Please contact your local administrator for assistance. > > > Expected results: > > What was expected? Basically, this appears to work as expected as the cross-site attack appeared to be thwarted. > Additional info:
Expected Outcome is: Request ------------- Request Information =============================================== | Error Code: | 1 | =============================================== | Error Reason: | Operation Not Found | =============================================== But we got: java.lang.NumberFormatException: Illegal embedded sign character
Upstream ticket: https://fedorahosted.org/pki/ticket/2315
Per Bug Triage of 05/03/2016: RHEL 7.4 NOTE: Discussed and confirmed with aakkiang over IRC.
Per 10.5.x/10.6 Triage: 10.6 cfu: fix looks relatively simple
Moved to RHEL 7.7.