tracker issue : CF-3918986

select a category, or use search below
(searches all categories and all time range)
Title:

ANeff] ER for: canonicalization in encodeFor_() functions to be configurable

| View in Tracker

Status/Resolution/Reason: To Fix//

Reporter/Name(from Bugbase): Aaron Neff / Aaron Neff (Aaron Neff)

Created: 01/10/2015

Components: Security

Versions: 11.0

Failure Type: Enhancement Request

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Platforms All

Vote Count: 0

Currently, encodeFor_(theInput, true) allows multi and mixed encodings. However, ESAPI's recommendation is: "it's safer to not accept this stuff in the first place".

This ER is for encodeFor_(theInput, true) to match the behavior of encodeFor_(canonicalize(theInput, true, true, false)), since that is more secure and matches ESAPI's recommendation.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3918986

External Customer Info:
External Company:  
External Customer Name: itisdesign
External Customer Email:

Attachments:

Comments:

Related URL: https://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#canonicalize%28java.lang.String,%20boolean,%20boolean%29
Comment by External U.
9005 | January 10, 2015 06:33:51 AM GMT
Adobe, I'd like to change my request. Could the title of this ticket please be changed to "[ANeff] ER for: canonicalization in encodeFor_() functions to be configurable"? And could encodeFor_() functions please just accept a string for the 2nd parameter? So these would all be valid: encodeForURL(theInput, true);//this is the default, and would behave exactly as it currently does encodeForURL(theInput, "restrictMultiple");//restricts multiple encoding encodeForURL(theInput, "restrictMixed");//restricts mixed encoding encodeForURL(theInput, "restrictAll");//restricts multiple AND mixed encoding If a canonicalization exception was thrown, they'd return an empty string (exactly as canonicalize()'s throwOnError=false). Thanks!, -Aaron
Comment by External U.
9006 | January 19, 2015 04:05:45 AM GMT