Spring Security记住我的cookie Unicode字符错误 [英] Spring Security remember me cookie Unicode characters wrong
问题描述
我正在使用Spring Boot,Spring MVC和Spring Security创建一个简单的网站。在登录页面中,我有一个记住我复选框。勾选并登录后,将为浏览器创建一个记住我的cookie。我已经尝试了chrome和firefox。
I'm using spring boot, spring mvc and spring security to make a simple website. In the login page, I've got a remember me checkbox. When it's ticked and login, a remember-me cookie is created for the browser. I've tried both chrome and firefox.
Cookie在下面。
The cookie is below.
Name: remember-me
Content: Pz8/Pz8/OjE0NjQ5ODcxMjQxMDk6YTc1MDMzNTM0ZmNhNjc3YmUwOTljZGNjN2EyYTk1NjM
Domain: localhost
Path: /gy
Send For: Any kind of connection
Accessible to Script: No (HttpOnly)
Created: Friday, 20 May 2016 at 21:52:04
Expires: Friday, 3 June 2016 at 21:52:04
以上内容为base64格式。
The content above is base64 format. The decoded string is below.
??????:1464987124109:a75033534fca677be099cdcc7a2a9563
??????:1464987124109:a75033534fca677be099cdcc7a2a9563
第一部分是用户名是中文字符,但显示为??????。
The first part is username that is chinese characters but shown as ??????.
我知道将Unicode字符保存到cookie中,我们应该首先使用URLEncoder类对其进行编码,然后然后将其读回后再解码。我是Java和Spring的新手,所以不知道如何自定义记住我 cookie以处理Unicode字符。
I know to save Unicode characters to cookie, we should use URLEncoder class to encode it first, and then decode it after read it back. I'm new to Java and Spring, so have no idea how to customise the remember me cookie to handle the Unicode characters.
任何解决此问题的线索将不胜感激。谢谢!
Any clue to solve the issue would be appreciated. Thanks!
推荐答案
这是Spring Security中的错误。它计算MD5 像这样:
This is a bug in Spring Security. It calculates the MD5 like this:
Hex.encode(digest.digest(data.getBytes()));
使用0参数版本的 getBytes 使用默认编码将Unicode字符编码为字节。默认编码各不相同,但显然在您的服务器上,它是不能包含中文字符的编码。
using the 0-argument version of getBytes which encodes Unicode characters to bytes using the default encoding. The default encoding varies, but clearly on your server it is an encoding that cannot contain Chinese characters.
永远不要依赖默认编码。它通常不是UTF,因此不能包含所有Unicode字符。另外,由于它不是固定的,因此当您从一台服务器移至另一台服务器时,它可能会破坏令牌。 Spring应该设置一个显式的UTF编码,例如 getBytes( UTF-8)。
The default encoding should never be relied upon. It very often isn't a UTF, so can't contain all Unicode characters. Also since it's not fixed, it can break your tokens when you move from one server to another. Spring should have set an explicit UTF encoding, eg getBytes("UTF-8").
记住我的唯一让我担心的属性:
This is not the only property of remember-me that worries me:
-
它使用的是MD5,这是一种哈希算法,它早已超出了质数,并且越来越容易受到攻击。甚至都没有使用HMAC-MD5来缓解这种情况(HMAC正是为此目的而设计的)
it's using MD5, a hashing algorithm which is long past its prime, and increasingly vulnerable to attack. It's not even using HMAC-MD5 which would mitigate this (HMAC is designed for exactly this purpose)
所有不受支持的字符都被默默地压缩为同一字符,?,这意味着用户你好的哈希与用户<$ c的哈希相同$ c>☃☃。因此,从理论上讲,可以通过创建另一个用户名中使用不支持字符的用户,然后以其用户名中包含不支持字符的任何受害者用户身份登录(或问号本身!)。 cookie,以在新用户的哈希中包含受害者用户名。 (实际上,(a)散列中'password'字段的存在使事情变得复杂,尽管这也容易受到Unicode字符挤压的影响,并且(b)幸运的是,cookie本身也使用默认编码被错误地解码,从而防止了
all non-supported characters get silently squashed into the same character, ?, which means that the hash for user 你好 would be the same as the hash for user ☃☃. So it could in theory be possible to log in as any victim user with a non-supported character in their username (or a question mark itself!), by creating another user with a different non-supported character in their username, and then altering the cookie to include the victim username with the new user's hash. (In practice, however (a) the presence of the ‘password’ field in the hash complicates matters, although that too is vulnerable to Unicode character squashing, and (b) luckily the cookie itself is also incorrectly decoded using the default encoding, preventing one from getting arbitrary Unicode characters into the checker in the first place).
它把字符串扔在一起而没有任何转义分隔符,所以当组件带有冒号时会发生怪异in。您可能真的不能直接对此进行太多攻击,但是它很笨拙,尝试解决此问题光荣地被淘汰了。
it throws strings together without any escaping for delimiters, so weirdness happens when components have colons in. You probably can't really do much of an attack with that directly, but it's shonky and the attempt to work around it is gloriously half-arsed.
我不信任此代码来保护我的Web应用程序;在高调的安全性库中看到这种东西真是令人失望。
I wouldn't trust this code to protect my web application; it is disappointing to see this kind of thing in a high profile security library.
这篇关于Spring Security记住我的cookie Unicode字符错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
