chiu01 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

DefaultHttpUtilities.getParameter gets headers, not parameters #24

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Line 608 of DefaultHttpUtilities:
String value = request.getHeader(name);

So it gets a header, just like getHeader, instead of the parameter. I think
getParameter was what was intended:

http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/ServletRequest.html#
getParameter(java.lang.String)

But that spec is decidedly ambiguous - Does the param come from POST or
GET? I'm not sure if we really want to use that...

What version of the product are you using? On what operating system?

SVN revision 574.

Original issue reported on code.google.com by cyounk...@gmail.com on 28 Jul 2009 at 8:55

GoogleCodeExporter commented 8 years ago
in every container I have worked with the getParameters will return the value
regardless of if they are POST or GET. Perhaps we should look creating a request
wrapper for HttpServletRequest that only returns parms for whatever method the
request was made using. 

It definately begs an interesting question - If a form is submitted as a POST, 
but
someone submits a GET parameter with the same name, which one wins out and is
returned when I call getParameter

Original comment by chrisisbeef on 2 Aug 2009 at 7:41

GoogleCodeExporter commented 8 years ago
The method now calls getParameter.  We can add the POST/GET validation later if 
we
decide so.

Original comment by neil.mat...@gmail.com on 27 Oct 2009 at 6:40

GoogleCodeExporter commented 8 years ago

Original comment by neil.mat...@gmail.com on 9 Nov 2009 at 1:39

GoogleCodeExporter commented 8 years ago

Original comment by neil.mat...@gmail.com on 9 Nov 2009 at 1:40

GoogleCodeExporter commented 8 years ago
Please close out this issue and create a new enhancement request for POST/GET
validation for 2.1

Original comment by chrisisbeef on 2 Dec 2009 at 7:56

GoogleCodeExporter commented 8 years ago

Original comment by neil.mat...@gmail.com on 2 Dec 2009 at 8:40