You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There's a bug in DefaultEncoder.canonicalize(String input).
It's supposed to use the settings
Encoder.AllowMultipleEncoding and
Encoder.AllowMixedEncoding
but it's effectively using
!Encoder.AllowMultipleEncoding and
!Encoder.AllowMixedEncoding
@kwwall going to close this one. While what the person says is true, I don't think its safe to reverse any boolean logic this far into the life of the API.
At a minimum, perhaps some clarification in the Javadoc is in order then?
B/c it seems as though what we are saying is "yes, this probably is not the
intended behavior, but by now so many people may be relying on this broken
behavior that fixing it could have unintended consequences."
If we are going to change the actual behavior, we should at least document
what it is actually doing, don't you agree? Changing the names of the
formal parameters would be a good start. And maybe a "@see" to refer to
this bug report.
-kevin
Sent from my Droid; please excuse typos.
On Jun 14, 2016 8:42 AM, "Matt Seil" notifications@github.com wrote:
From schulger...@widmann.de on May 25, 2011 05:43:27
There's a bug in DefaultEncoder.canonicalize(String input).
It's supposed to use the settings
Encoder.AllowMultipleEncoding and
Encoder.AllowMixedEncoding
but it's effectively using
!Encoder.AllowMultipleEncoding and
!Encoder.AllowMixedEncoding
See lines 116-123:
public String canonicalize( String input ) {
if ( input == null ) {
return null;
}
return canonicalize(input,
ESAPI.securityConfiguration().getAllowMultipleEncoding(),
ESAPI.securityConfiguration().getAllowMixedEncoding() );
}
It should be
public String canonicalize( String input ) {
if ( input == null ) {
return null;
}
return canonicalize(input,
!ESAPI.securityConfiguration().getAllowMultipleEncoding(),
!ESAPI.securityConfiguration().getAllowMixedEncoding() );
}
because
canonicalize(String, boolean, boolean)
is defined as
canonicalize(String input, boolean restrictMultiple, boolean restrictMixed)
and not as
canonicalize(String input, boolean allowMultiple, boolean allowMixed)
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=226
The text was updated successfully, but these errors were encountered: