You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While doing an assessment for a client we came across an issue where the
null check was not work for their code. They had a null check based on
SafeRequest.getParameter(String). If the value was not null they did one
thing if it was they did another thing, which based on SafeRequest this
means it always will do the first thing. In their specific case they had
centralized menu code and sometimes different parameters are submitted, but
those parameters not submitted will never be null. SafeRequest and
SecurityRequestWrapper both default to setting any getParameter (including
a parameter that is not submitted) that returns null to the empty string.
This will break any applications that rely on null checks. This should be
a high priority fix as the getParameter should default to allowing null.
I agree that the SafeRequest (1.4) and SecurityRequestWrapper (2.0) seem to get this
wrong. Should we change this to make "allowNull" true? Then the underlying
getValidInput call will not throw an exception and the call will return null as it
should.
From manico.james@gmail.com on January 15, 2010 18:49:40
While doing an assessment for a client we came across an issue where the
null check was not work for their code. They had a null check based on
SafeRequest.getParameter(String). If the value was not null they did one
thing if it was they did another thing, which based on SafeRequest this
means it always will do the first thing. In their specific case they had
centralized menu code and sometimes different parameters are submitted, but
those parameters not submitted will never be null. SafeRequest and
SecurityRequestWrapper both default to setting any getParameter (including
a parameter that is not submitted) that returns null to the empty string.
This will break any applications that rely on null checks. This should be
a high priority fix as the getParameter should default to allowing null.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=90
The text was updated successfully, but these errors were encountered: