New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DefaultEncoder.canonicalize() Bug #291
Comments
From victropo...@gmail.com on August 31, 2012 08:08:40 As a temporary work around, I've added code to move the PROPERTYNAME parameter to the beginning of the query string, if present, but this won't work if there are multiple parameters that start with PROP. |
From michael....@freiheit.com on September 12, 2014 12:48:06 Same problem with &or in a string. This is interpreted as logical or and leads to a double encoding exception. I would expect that only ∨ (with the semicolon) is interpreted as a HTML-Entity. |
From sids0...@gmail.com on October 29, 2014 09:06:03 Step to reproduce Expected Results : As there is no semi colon next to &or it should not canonicalize based on "or" What version of the product are you using? |
@kwwall I think this commit, associated with issue #376 will fix this issue as well. The problem was that when canonicalizing a URI, ESAPI treats the URI as a single-syntax string, ignoring URI structure. ¶meter=foo is legal in a URI query. |
@xeno6696 So, do we have a test case to test this specific scenario originally described in this issue? If so and it's doing the right thing, I think you can close it. Otherwise, we need a plan B. |
We don't, but we will... |
The given input that failed was actually failing due to the commas not being URI encoded. Commas are not legal URI syntax, so the original coder was still going to have a problem. At any rate, the input is included in the test now. |
From victropo...@gmail.com on August 30, 2012 16:03:42
What steps will reproduce the problem? 1. Attempt to validate the following HTTPQueryString:
connectid=68470072-44c2-417b-822b-d945dc0364f4&request=GetFeature&service=wfs&version=1.1.0&typeName=DigitalGlobe%3AFinishedFeature&bbox=37.5%2C41.5%2C37.8%2C41.7&PROPERTYNAME=source%2CsourceUnit%2CproductType
2012-08-30 00:02:25,918 WARN [388e3f54-b1be-442c-a124-45f9fcda7c67] [http-8082-10] [IntrusionDetector] - [SECURITY FAILURE Anonymous:null@unknown -> /OnlinePortfolio/IntrusionDetector] Invalid input: context=com.digitalglobe.dgp.wfs.controller.WfsController, type(HTTPQueryString)=^[a-zA-Z0-9()-=.?;,+/:&_ %#-=]$, input=connectid=68470072-44c2-417b-822b-d945dc0364f4&request=GetFeature&service=wfs&version=1.1.0&typeName=DigitalGlobe:FinishedFeature&bbox=37.5,41.5,37.8,41.7∝ERTYNAME=source,sourceUnit,productType, orig=connectid=68470072-44c2-417b-822b-d945dc0364f4&request=GetFeature&service=wfs&version=1.1.0&typeName=DigitalGlobe%3AFinishedFeature&bbox=37.5%2C41.5%2C37.8%2C41.7&PROPERTYNAME=source%2CsourceUnit%2CproductType
org.owasp.esapi.errors.ValidationException: com.digitalglobe.dgp.wfs.controller.WfsController: Invalid input. Please conform to regex ^[a-zA-Z0-9()-=_.?;,+/:& %#-=]$ with a maximum length of 1024
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:306)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:213)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:185)
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=285
The text was updated successfully, but these errors were encountered: