marylinh / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Misc bug fixes in DefaultSecurityConfiguration #207

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Upon inspecting the DefaultSecurityConfiguration code, I discovered two
apparent bugs.

The first was if the class tries to load the ESAPI.properties file via the 
class loaders, it continues to try *ALL* 3 of the class loaders even if it has 
already
found and loaded ESAPI.properties. This could potentially lead to subtle 
problems,
including, but not limited to security problems if different ESAPI files are 
found
in different places by two or more different class loaders. The fix is to stop 
once
we have successfully loaded ESAPI.properties.

The second issue is if ESAPI.properties cannot be loaded at all, it returns as
though nothing is amiss (except that it will log something to System.out). This
generally results in a NPE sometime later on.

Original issue reported on code.google.com by kevin.w.wall@gmail.com on 3 Feb 2011 at 10:55

GoogleCodeExporter commented 9 years ago
I believe that this second issue is the root cause of Google Issue #205 and 
this fix should address that. (Instead, a meaningful ConfigurationException 
will be thrown.)

Original comment by kevin.w.wall@gmail.com on 4 Feb 2011 at 7:15

GoogleCodeExporter commented 9 years ago
Addressed via SVN revision 1700.

Original comment by kevin.w.wall@gmail.com on 4 Feb 2011 at 7:16

GoogleCodeExporter commented 9 years ago
SVN rev 1700. (Forgot to change the status last time. Getting late folks, even
for me. :)

Original comment by kevin.w.wall@gmail.com on 4 Feb 2011 at 7:17