SafeRequest.getParameter(String) does not return null if String is null #100
Labels
Comments
|
From jeff.wil...@gtempaccount.com on January 15, 2010 17:31:30 I agree that the SafeRequest (1.4) and SecurityRequestWrapper (2.0) seem to get this |
|
From manico.james@gmail.com on January 15, 2010 17:33:46 Yes, I agree. I think the change is that simple Jeff. Go for it? |
|
From chrisisbeef on January 15, 2010 20:23:47 This issue was closed by revision r937 . Status: Fixed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From manico.james@gmail.com on January 15, 2010 18:49:40
While doing an assessment for a client we came across an issue where the
null check was not work for their code. They had a null check based on
SafeRequest.getParameter(String). If the value was not null they did one
thing if it was they did another thing, which based on SafeRequest this
means it always will do the first thing. In their specific case they had
centralized menu code and sometimes different parameters are submitted, but
those parameters not submitted will never be null. SafeRequest and
SecurityRequestWrapper both default to setting any getParameter (including
a parameter that is not submitted) that returns null to the empty string.
This will break any applications that rely on null checks. This should be
a high priority fix as the getParameter should default to allowing null.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=90
The text was updated successfully, but these errors were encountered: