WS invalid URI parsing
28 Aug 2017
A low-severity vulnerability has been found in the URI parsing of AsyncHttpClient, which is used by the Play WS client and by the play-ws-standalone library.
This library causes the WS API to improperly parse the URI’s authority component if it is followed by
#. For example, passing
http://firstname.lastname@example.org/foo.txt will actually make a request to
The AsyncHttpClient issue is also described in AsyncHttpClient issue 1455
If users are allowed to pass arbitrary URI strings, this vulnerability could be used to circumvent whitelists or blacklists of host names. An RFC-compliant parser would correctly parse
http://email@example.com/foo.txt. Note that this issue does not affect URIs like
http://firstname.lastname@example.org/foo.txt, with the slash at the beginning of the path.
- Play 2.6.0-2.6.3
- play-ws-standalone 1.0.0-1.0.6
- Play 2.5.0-2.5.16
- All previous 2.x versions
Parse the URI using a compliant parser like
java.net.URI. If the path is empty, replace the empty path with a single slash.
Upgrade to play-ws-standalone 1.0.7, or, if using Play 2.5.x, upgrade to async-http-client 2.0.35. The issue has not been fixed in the AsyncHttpClient used by Play 2.4.x and earlier.
The correct version will automatically be provided in Play 2.6.4 and higher, and Play 2.5.17 and higher.
Credit for finding this vulnerability in AsyncHttpClient goes to Nicolas Grégoire from Agarri.