fusioncop / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Could not set multiple cookies one by one at single request #254

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. I was trying to set Multiple cookies one by one at single request. Like 
username, token, jsession etc.
2. Etc. response.addCookie(cookie1); response.addCookie(cookie2);
3. Then system is htting SecurityWrapperResponse.addheader() where it is 
calling getHttpServletResponse().setHeader() which is replacing value of header 
name "set-cookie". we need to use getHttpServletResponse().addheader().

 public void addHeader(String name, String value) {
        try {
            // TODO: make stripping a global config
            String strippedName = StringUtilities.stripControls(name);
            String strippedValue = StringUtilities.stripControls(value);
            String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false);
            String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", ESAPI.securityConfiguration().getMaxHttpHeaderSize(), false);
            getHttpServletResponse().setHeader(safeName, safeValue);
        } catch (ValidationException e) {
            logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e);
        }
    }

What is the expected output? What do you see instead?
Expected result  should be: in browser and request.getCookies() should return 
all the cookie value username, token etc. But instead of that, it was returning 
only last cookie 'jsession', not the 1st, 2nd cookies 'username', 'token'.

What version of the product are you using? On what operating system?
version - esapi-2.0.1.jar and esapi-2.0.rc11.jar. 
OS - windows

Does this issue affect only a specified browser or set of browsers?
I have tried this in IE, firefox, chrome, opera, safari. This will effect in 
all browser.

Please provide any additional information below.
I am Software Engineer in Acclaris, http://www.acclaris.com/ . In our system, 
we are integrating ESAPI (Added filter SecurityWrapper.java) for XSS filtering 
attack. 
I have downloaded current code base from 
http://owasp-esapi-java.googlecode.com/svn/trunk/. After that I have modified 
code and building a fresh esapi-2.0.2-SNAPSHOT.jar using instruction from 
https://www.owasp.org/index.php/ESAPI-Building. Attaching patch and updated 
jar. Now it is working fine in our system. Please review and update SVN code 
base as well as http://code.google.com/p/owasp-esapi-java/downloads/list. So 
that, we can add updated versioned of jar in our system.  Please send your 
feedback as early as possible.

Thanks ,
Anita 
Software Engineer, Acclaris

Original issue reported on code.google.com by anita.de...@gmail.com on 17 Nov 2011 at 12:12

GoogleCodeExporter commented 9 years ago
Attaching patch and updated jar.

Original comment by anita.de...@gmail.com on 17 Nov 2011 at 12:15

GoogleCodeExporter commented 9 years ago

Original comment by anita.de...@gmail.com on 17 Nov 2011 at 12:16

Attachments:

GoogleCodeExporter commented 9 years ago
Should be ....
public void addHeader(String name, String value) {
        try {
            // TODO: make stripping a global config
            String strippedName = StringUtilities.stripControls(name);
            String strippedValue = StringUtilities.stripControls(value);
            String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false);
            String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", ESAPI.securityConfiguration().getMaxHttpHeaderSize(), false);
            getHttpServletResponse().addHeader(safeName, safeValue);
        } catch (ValidationException e) {
            logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e);
        }
    }

Original comment by anita.de...@gmail.com on 24 Nov 2011 at 12:35

GoogleCodeExporter commented 9 years ago
I have also been affected by this issue. Is there a good security-related 
reason for addHeader() to call setHeader() on the response instead of 
addHeader()?

If not, I'd love to see a 2.0.2 release very soon.

Original comment by danieljomphe on 5 Jun 2013 at 3:14