Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DefaultEncoder not respecting IntrusionDetector.Disable=true in ESAPI.properties #162

Closed
meg23 opened this issue Nov 13, 2014 · 2 comments
Closed

Comments

@meg23
Copy link

meg23 commented Nov 13, 2014

From augu...@gmail.com on September 28, 2010 16:02:08

What steps will reproduce the problem? 1. Set IntrusionDetector.Disable=true in ESAPI.properties
2. Pass a double-encoded String to StringValidationRule.getValid(String context, String input)
3. An IntrusionException is thrown What is the expected output? What do you see instead? I would expect IntrusionException to not be thrown, thus respecting the property in ESAPI.properties. Please use labels and text to provide additional information. From the source code, it looks like StringValidationRule.getValid( String context, String input ) calls the one-argument DefaultEncoder.canonicalize(String input) which automatically enforces strict intrusion detection regardless of the value in ESAPI.properties.

The one argument canonicalize() method should be adjusted to use the value from ESAPI.properties instead of the hard-coded 'true' value for strict.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=152

@meg23
Copy link
Author

meg23 commented Nov 13, 2014

From augu...@gmail.com on September 28, 2010 13:12:26

Proposed patch attached and ready to checkin. I ran a clean build and all tests pass:

Tests run: 490, Failures: 0, Errors: 0, Skipped: 0

Attachment: issue 152.diff

@meg23
Copy link
Author

meg23 commented Nov 13, 2014

From augu...@gmail.com on September 28, 2010 13:29:11

Changes committed to SVN.

Summary: DefaultEncoder not respecting IntrusionDetector.Disable=true in ESAPI.properties
Status: Fixed

@meg23 meg23 closed this as completed Nov 13, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant