Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DefaultEncoder.canonicalize() should respect value of Encoder.AllowMultipleEncoding property #170

Closed
meg23 opened this issue Nov 13, 2014 · 4 comments

Comments

@meg23
Copy link

meg23 commented Nov 13, 2014

From augu...@gmail.com on October 29, 2010 05:56:14

The Encoder.AllowMultipleEncoding property in ESAPI.properties does not seem to be used anywhere. In DefaultEncoder, the canonicalize() method uses IntrusionDetector.Disable instead:

public String canonicalize( String input ) {
    if ( input == null ) {
        return null;
    }
    return canonicalize( input, !ESAPI.securityConfiguration().getDisableIntrusionDetection() );
}

This method should use the Encoder.AllowMultipleEncoding property, with the possible addition of another property for Encoder.AllowMixedEncoding. This would allow us to handle special cases where we need to allow multiple encoding, but not mixed encoding, without disabling intrusion detection across the board for all of ESAPI.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=160

@meg23
Copy link
Author

meg23 commented Nov 13, 2014

From augu...@gmail.com on October 29, 2010 03:08:19

Proposed patch attached.

Attachment: ESAPI-160.diff

@meg23
Copy link
Author

meg23 commented Nov 13, 2014

From manico.james@gmail.com on October 29, 2010 03:37:31

Status:

@meg23
Copy link
Author

meg23 commented Nov 13, 2014

From manico.james@gmail.com on October 29, 2010 03:37:52

Status: Verified

@meg23
Copy link
Author

meg23 commented Nov 13, 2014

From augu...@gmail.com on October 29, 2010 10:11:26

Patch committed to SVN as revision #1630 .

Status: Fixed

@meg23 meg23 closed this as completed Nov 13, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant