search

demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

DefaultEncoder.canonicalize() should respect value of Encoder.AllowMultipleEncoding property #160

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
The Encoder.AllowMultipleEncoding property in ESAPI.properties does not seem to 
be used anywhere. In DefaultEncoder, the canonicalize() method uses 
IntrusionDetector.Disable instead: 

    public String canonicalize( String input ) {
        if ( input == null ) {
            return null;
        }
        return canonicalize( input, !ESAPI.securityConfiguration().getDisableIntrusionDetection() );
    }

This method should use the Encoder.AllowMultipleEncoding property, with the 
possible addition of another property for Encoder.AllowMixedEncoding. This 
would allow us to handle special cases where we need to allow multiple 
encoding, but not mixed encoding, without disabling intrusion detection across 
the board for all of ESAPI.

Original issue reported on code.google.com by augu...@gmail.com on 29 Oct 2010 at 9:56

GoogleCodeExporter commented 8 years ago 
Proposed patch attached.

Original comment by augu...@gmail.com on 29 Oct 2010 at 10:08

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by manico.james@gmail.com on 29 Oct 2010 at 10:37

GoogleCodeExporter commented 8 years ago

Original comment by manico.james@gmail.com on 29 Oct 2010 at 10:37

GoogleCodeExporter commented 8 years ago 
Patch committed to SVN as revision #1630.

Original comment by augu...@gmail.com on 29 Oct 2010 at 5:11