slocumbf / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

isInvalidFileName allows back slash failing tests #54

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. svn checkout..
2. mvn -Dtest=ValidatorTest test

What is the expected output? What do you see instead?

isInvalidFileName should not claim a file with a back slash in it is valid.

Please use labels and text to provide additional information.

This has been split out from issue 39

testIsInvalidFilename:

This test fails on a filename being passed as valid when it has a backslash
('\\') in it. The test expects this to be rejected as invalid which is
probably a good idea. The problem is that during the validation the
filename is canonicalized using the encoder. The encoder includes the
JavaScript codec which removes the backslash. When the canonicalized
filename is validated it no longer contains the backslash and validation
succeeds. 

I am not familiar enough with the ESAPI.properties, but changing
"Encoder.DefaultCodecList" is not having any affect on the encoders
actually used (validated by inserting printlns). Canonicalize is also
applying the codecs repeatedly until nothing changes which seems to be
contrary to the default Encoder.AllowMultipleEncoding=false as well.

Original issue reported on code.google.com by schal...@darkmist.net on 10 Nov 2009 at 2:21

GoogleCodeExporter commented 9 years ago
Fixed in revision 808

Original comment by schal...@darkmist.net on 11 Nov 2009 at 11:09