search

vidyuthd / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

SecurityWrapperRequest#getQueryString() decodes percent escapes #125

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Wrap a request that contains a % escape in the query string
2. Call getQueryString()
3. note that percent escapes have been unescaped

What is the expected output? What do you see instead?

This is debatable. The problem here is that unescaping % changes the
meaning of the query string. In normal form encoding
name1=value1&name2=value2, equals and ampersand must be escaped in names
and values. However, the unescaping that getQueryString is performing would
cause the values not to parse correctly.

Please use labels and text to provide additional information.

It needs to be decided what is best to do here. The purpose of this routine
makes canonicalization and validation difficult at best because it bypasses
the normal decoding into parameters that is done internally by the request.
I have seen urls with other meta characters in the query string than those
done for form encoding though I don't know what the specification says
about such.

My current thought on the issue is that this routine is generally expected
to return a raw value. As such it would probably be best just to validate
that the characters contained therein are valid characters for a query
string and not go farther. I believe this would just be URL chars without
the '#' but I would need to test.

Original issue reported on code.google.com by schal...@darkmist.net on 16 May 2010 at 1:42

GoogleCodeExporter commented 9 years ago 
It also seems like throwing a run exception would be better than returning an 
empty
string when validation fails.

Original comment by schal...@darkmist.net on 16 May 2010 at 1:44

GoogleCodeExporter commented 9 years ago 
Agreed -  this should be resolved before 2.0GA.

Original comment by manico.james@gmail.com on 2 Nov 2010 at 7:50

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 19 Nov 2010 at 2:37

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 20 Nov 2010 at 11:30

GoogleCodeExporter commented 9 years ago 
Jim: In Comment 2, what are you agreeing with? Comment #1, about throwing some 
sort of RuntimeException or the general description of this issue or both?

Original comment by kevin.w.wall@gmail.com on 12 Feb 2011 at 6:51