DefaultEncoder not respecting IntrusionDetector.Disable=true in ESAPI.properties

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. Set IntrusionDetector.Disable=true in ESAPI.properties
2. Pass a double-encoded String to StringValidationRule.getValid(String 
context, String input)
3. An IntrusionException is thrown

What is the expected output? What do you see instead?

I would expect IntrusionException to not be thrown, thus respecting the 
property in ESAPI.properties. 

Please use labels and text to provide additional information.

From the source code, it looks like StringValidationRule.getValid( String 
context, String input ) calls the one-argument 
DefaultEncoder.canonicalize(String input) which automatically enforces strict 
intrusion detection regardless of the value in ESAPI.properties. 

The one argument canonicalize() method should be adjusted to use the value from 
ESAPI.properties instead of the hard-coded 'true' value for strict.

Original issue reported on code.google.com by augu...@gmail.com on 28 Sep 2010 at 8:02

GoogleCodeExporter commented 9 years ago

Proposed patch attached and ready to checkin. I ran a clean build and all tests 
pass: 

Tests run: 490, Failures: 0, Errors: 0, Skipped: 0

Original comment by augu...@gmail.com on 28 Sep 2010 at 8:12

Attachments:

[issue 152.diff](https://storage.googleapis.com/google-code-attachments/owasp-esapi-java/issue-152/comment-1/issue 152.diff)

GoogleCodeExporter commented 9 years ago

Changes committed to SVN.

Original comment by augu...@gmail.com on 28 Sep 2010 at 8:29

Changed title: DefaultEncoder not respecting IntrusionDetector.Disable=true in ESAPI.properties
Changed state: Fixed

ibnemahdi / owasp-esapi-java

DefaultEncoder not respecting IntrusionDetector.Disable=true in ESAPI.properties #152