SecurityWrapperRequest.getParameters(String) inconsistent with definition in ServletRequest

demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java

Other

0 stars 0 forks source link

SecurityWrapperRequest.getParameters(String) inconsistent with definition in ServletRequest #122

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

I have encountered a subtle change of behaviour in my web application after 
configuring 
the SecurityWrapper and this has resulted in a bug for me.

The call to SecurityWrapperRequest.getParameterValues(String) currently returns 
an empty 
String[] when a parameter does not exist in the underlying HttpServletRequest.

The above behaviour is incorrect as the 
ServletRequest.getParameterValues(String) 
javadocs state that this method "Returns an array of String objects containing 
all of the 
values the given request parameter has, or null if the parameter does not 
exist."

Please find attached a patch, including tests, to bring the 
SecurityWrapperRequest inline 
with the ServletRequest documentation.

Original issue reported on code.google.com by jonathan...@gmail.com on 11 May 2010 at 10:37

Attachments:

SecurityWrapperRequest_getParameters.patch

GoogleCodeExporter commented 8 years ago

Original comment by jonathan...@gmail.com on 11 May 2010 at 10:38

GoogleCodeExporter commented 8 years ago

Here's the reference for the relevant javadocs: 
http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-
mr2/javax/servlet/ServletRequest.html#getParameterValues(java.lang.String)

Original comment by jonathan...@gmail.com on 11 May 2010 at 10:41

GoogleCodeExporter commented 8 years ago

Thanks for the patch and the unit tests! I've applied this in revision 1417.

I'm leaving this open for the moment as this needs checked in the 1.4 and 2.1 
branches.

Original comment by schal...@darkmist.net on 16 May 2010 at 9:27

Changed state: Started
Added labels: 1.4, 2.1

GoogleCodeExporter commented 8 years ago

Original comment by schal...@darkmist.net on 16 May 2010 at 9:28

Added labels: v1.4, v2.1
Removed labels: 1.4, 2.1

GoogleCodeExporter commented 8 years ago

This only needs fixing in 1.4. Sweet patches, you rock :)

Original comment by manico.james@gmail.com on 2 Nov 2010 at 7:48

Added labels: Milestone-Release1.4
Removed labels: v2.1

GoogleCodeExporter commented 8 years ago

Kevin, this is confusing (my fault) and is a 1.4 issue, which we are EOL'ing 
soon. Drop it for now?

Original comment by manico.james@gmail.com on 17 Feb 2011 at 3:48

GoogleCodeExporter commented 8 years ago

Finally getting around to dropping this.

This issue is already fixed in ESAPI 2.x and release ESAPI 1.4.x is no longer 
supported. Even if this issue were to be fixed in ESAPI 1.4.x, it would still 
leave many other bugs--some of which are security issues--as unfixed. 
Therefore, this bug nor any others that are specific to ESAPI 1.4.x, will be 
fixed.

Original comment by kevin.w.wall@gmail.com on 23 Sep 2014 at 1:50

Changed state: WontFix