Fierozen / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Canonicalization might not be performed #226

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
There's a bug in DefaultEncoder.canonicalize(String input).

It's supposed to use the settings
Encoder.AllowMultipleEncoding and
Encoder.AllowMixedEncoding
but it's effectively using
!Encoder.AllowMultipleEncoding and
!Encoder.AllowMixedEncoding

See lines 116-123:

public String canonicalize( String input ) {
                if ( input == null ) {
                        return null;
                }
                return canonicalize(input, 
                                                        ESAPI.securityConfiguration().getAllowMultipleEncoding(),
                                                        ESAPI.securityConfiguration().getAllowMixedEncoding() );
        }

It should be

public String canonicalize( String input ) {
                if ( input == null ) {
                        return null;
                }
                return canonicalize(input, 
                                                        !ESAPI.securityConfiguration().getAllowMultipleEncoding(),
                                                        !ESAPI.securityConfiguration().getAllowMixedEncoding() );
        }

because

canonicalize(String, boolean, boolean)

is defined as

canonicalize(String input, boolean restrictMultiple, boolean restrictMixed)

and not as

canonicalize(String input, boolean allowMultiple, boolean allowMixed)

Original issue reported on code.google.com by schulger...@widmann.de on 25 May 2011 at 9:43

GoogleCodeExporter commented 9 years ago
Related to:
http://code.google.com/p/owasp-esapi-java/issues/detail?id=231

Original comment by sickska...@gmail.com on 11 Jul 2011 at 11:42