SecurityWrapperRequest should expect a null value for the query string

Diewalkure / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java

Other

1 stars 0 forks source link

SecurityWrapperRequest should expect a null value for the query string #121

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Whilst using the SecurityWrapper filter I have found a ValidationException 
is being thrown by SecurityWrapperRequest.getQueryString() when the query 
string is null. The cause is the allowNull parameter being set to false on 
the Validator.getValidInput(...) call.

I believe that the correct behaviour would be to set allowNull to true as 
the documentation for HttpServletRequest.getQueryString() indicates null is 
a valid response: "...a String containing the query string or null if the 
URL contains no query string..." [1].

I've attached a patch with the above change.

Refs:

1. http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-
mr2/javax/servlet/http/HttpServletRequest.html#getQueryString()

Original issue reported on code.google.com by jonathan...@gmail.com on 10 May 2010 at 2:40

Attachments:

SecurityWrapperRequestGetQueryString.patch

GoogleCodeExporter commented 9 years ago

Original comment by jonathan...@gmail.com on 11 May 2010 at 10:38

GoogleCodeExporter commented 9 years ago

Congratulations, it appears that you're the first person to use this method 
because
it has more issues than just handling of null.

It also doesn't accept the simplest query of "a=b" with the default 
configuration as
the default regex is using (1,50) instead of {1,50}. The code is specifying 
2000 as
that max length instead of 50. Even with the length fixed in the regex it 
doesn't
contain a %.

Happily it does reject a NUL but, when % is added to the regex, it happily 
accepts %00.

Original comment by schal...@darkmist.net on 16 May 2010 at 12:21

Changed state: Started

GoogleCodeExporter commented 9 years ago

This issue was closed by revision r1416.

Original comment by schal...@darkmist.net on 16 May 2010 at 1:50

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Reopening as this still needs checked/fixed in the 1.4 & 2.1 branches. It has 
been
fixed in the 2.0 branch.

Original comment by schal...@darkmist.net on 16 May 2010 at 1:55

Changed state: Accepted
Added labels: branch1.4, branch2.1

GoogleCodeExporter commented 9 years ago

we blew away 2.1 and refresh with 2.0 - so this only needs fixing in 1.4

Original comment by manico.james@gmail.com on 2 Nov 2010 at 7:47

Added labels: Milestone-Release1.4

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 2 Nov 2010 at 7:47

Removed labels: branch2.1

GoogleCodeExporter commented 9 years ago

This issue is not relevant in ESAPI 2.x and ESAPI 1.4.x is no longer supported. 
Even if this issue were to be fixed in ESAPI 1.4.x, it would still leave many 
other bugs--some of which are security issues--as unfixed. Therefore, this bug 
nor any others that are specific to ESAPI 1.4.x, will be fixed.

Original comment by kevin.w.wall@gmail.com on 23 Sep 2014 at 1:49

Changed state: WontFix