andytanoko / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

SafeRequest.getParameter(String) does not return null if String is null #90

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
While doing an assessment for a client we came across an issue where the
null check was not work for their code.  They had a null check based on
SafeRequest.getParameter(String).  If the value was not null they did one
thing if it was they did another thing, which based on SafeRequest this
means it always will do the first thing.  In their specific case they had
centralized menu code and sometimes different parameters are submitted, but
those parameters not submitted will never be null.  SafeRequest and
SecurityRequestWrapper both default to setting any getParameter (including
a parameter that is not submitted) that returns null to the empty string. 
This will break any applications that rely on null checks.  This should be
a high priority fix as the getParameter should default to allowing null.   

Original issue reported on code.google.com by manico.james@gmail.com on 15 Jan 2010 at 11:49

GoogleCodeExporter commented 9 years ago
I agree that the SafeRequest (1.4) and SecurityRequestWrapper (2.0) seem to get 
this 
wrong.  Should we change this to make "allowNull" true?  Then the underlying 
getValidInput call will not throw an exception and the call will return null as 
it 
should.

Original comment by jeff.wil...@gtempaccount.com on 16 Jan 2010 at 1:31

GoogleCodeExporter commented 9 years ago
Yes, I agree. I think the change is that simple Jeff. Go for it?

Original comment by manico.james@gmail.com on 16 Jan 2010 at 1:33

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r937.

Original comment by chrisisbeef on 16 Jan 2010 at 4:23