You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The 'configuration/esapi/ESAPI.properties' file and all other files under the 'configuration/esapi' directory are missing from the ESAPI production builds. (E.g., it is missing from the 2.1.0 release.)
This is causing some to use the ESAPI.properties file found in 'src/test/resources/esapi/ESAPI.properties' which has some (intentionally) insecure additional property values (e.g., Encryptor.cipher_modes.additional_allowed=CBC,ECB -- ECB mode is normally not there). It also increases the likelihood that developers are using the test versions of Encryptor.MasterKey and Encryptor.MasterSalt property values.
Pretty sure you can fix this by updating your dist.xml file under src/main/assembly. Currently your looking for configuration/.esapi instead of configuration/esapi like it is in source.
As near as I can tell, this seems to be a duplicate of issue #341 and if not, I think commit 068cecb fixes this issue as well.
Short of actually deploying a new production release to Maven Central, is there a way that I can test this via a Maven command line? E.g., some mvn goal that would create these artifacts that I can inspect?
From kevin.w.wall@gmail.com on October 22, 2013 13:04:40
The 'configuration/esapi/ESAPI.properties' file and all other files under the 'configuration/esapi' directory are missing from the ESAPI production builds. (E.g., it is missing from the 2.1.0 release.)
This is causing some to use the ESAPI.properties file found in 'src/test/resources/esapi/ESAPI.properties' which has some (intentionally) insecure additional property values (e.g., Encryptor.cipher_modes.additional_allowed=CBC,ECB -- ECB mode is normally not there). It also increases the likelihood that developers are using the test versions of Encryptor.MasterKey and Encryptor.MasterSalt property values.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=309
The text was updated successfully, but these errors were encountered: