Cherry-pick of the 1.3.8 release branch#2672
Conversation
* Fixed JWT CVE related to exact PATH matches (#9) * Fixed JWT CVE related to exact PATH matches Problem: The JWT filter when matching exact paths included query parameters which meant the JWT requirement could be bypassed by adding a "?" after the path. The API was intended to only work for URIs. Solution: The fix updates the match logic to only include URIs i.e. path stripped off the query section. Added unit tests to validate these cases. * Fixed formatting * Strip fragment of Path Added unit tests to validate combination of query & fragment * Fix lint * Minor refactoring and more unit test cases (#11) * Minor refactoring and more unit test cases * Lint fixes
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
googlebot
added
the
cla: no
rlenglet
added
cla: yes
|
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
istio-testing
added
the
size/M
4 participants
Cherry-pick of the commits from the 1.3.8 release branch (istio/proxy:release-1.3.8-patch).