chiu01 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

ESAPI Logging : Need to clarify POST vs GET params better for post requests #79

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
A post can contain both get params in the url, and post params in the post 
payload. We need to differentiate these better in the various ESAPI Loggers.

Original issue reported on code.google.com by manico.james@gmail.com on 15 Dec 2009 at 9:51

GoogleCodeExporter commented 8 years ago
I'd like to see this fixed before 2.0 GA

Original comment by manico.james@gmail.com on 1 Nov 2010 at 12:47

GoogleCodeExporter commented 8 years ago

Original comment by manico.james@gmail.com on 19 Nov 2010 at 2:34

GoogleCodeExporter commented 8 years ago

Original comment by chrisisbeef on 20 Nov 2010 at 9:54

GoogleCodeExporter commented 8 years ago
How do you [Jim] propose to differentiate these when they are used GET vs. POST 
unless a developer calls something that allows them to distinguish the 
difference.

For example, if client does a POST with POST parameter foo=bar and also passes 
the query parameter ?foo=bar it is indeterminate as to which one of these 
HttpServletRequest.getParameter("foo") would return.

The Javadoc for ServletRequest.getParameter(String name) says:
"You should only use this method when you are sure the parameter has only one 
value. If the parameter might have more than one value, use 
getParameterValues(java.lang.String). If you use this method with a multivalued 
parameter, the value returned is equal to the first value in the array returned 
by getParameterValues."

Unfortunately, the Javadoc for ServletRequest.getParameterValues(String name) 
doesn't say anything about whether the GET or POST parameter would be called 
first. I am not sure if some IETF RFC or some W3C spec or the Java Servlet Spec 
mentions this or not, but I would conjecture that since it isn't mentioned in 
the Javadoc, it probably is implemented in various app servers and servlet 
engines. So bottom line is that developer better always check via 
getParameterValues and if multiple values are returned they probably are SOL.  
My bet is that unless you want to call something like getQueryString and parse 
the query string yourself, you can't tell a POST from a GET parameter. That's 
because obviously someone could POST something like

  foo=bar&foo=baz

and presumably getParmeterValues() would still return 2 values, so calling that 
is not sufficient even to tell that one parameter value came from a POST and 
the other from a GET.  So I think the only thing that a developer can do is to 
call getParameterValues() and if it all the values that it returns are the 
same, things are OK. If not, things are suspect (unless you intended to use all 
the different values). But bottom line, I'm not sure we have the context to 
tell what the developers intent was. 

Xref: HTTP Parameter Pollution

Original comment by kevin.w.wall@gmail.com on 12 Feb 2011 at 6:05

GoogleCodeExporter commented 8 years ago
Oh wait... I think maybe I misunderstood Jim. Only read the description, not 
the title of the issue.

Jim, are you proposing that we just log whether an HTTP request is made via 
POST or GET? Do we have context to do that? In what classes do we need to do 
this? Seems like it might be spread all over the place unless we have some 
special HTTP logger class. (I've not checked.)

Original comment by kevin.w.wall@gmail.com on 12 Feb 2011 at 6:10

GoogleCodeExporter commented 8 years ago
Yes, I just want to see GET or POST logged. :)

Original comment by manico.james@gmail.com on 17 Feb 2011 at 3:25