[Esapi-dev] Deprecated code in ESAPI

Kevin W. Wall kevin.w.wall at gmail.com
Wed Dec 28 22:54:39 UTC 2011


Charles,,

On Wed, Dec 28, 2011 at 11:11 AM, Charles Smith
<charles.smith at n2netsec.com> wrote:
> Do I need to worry about deprecated stuff like this?
>
> The field Encoder.CHAR_ALPHANUMERICS is deprecated
> User.java line 666
> /ESAPI_2.0/src/main/java/org/owasp/esapi
>
> public String resetCSRFToken() throws AuthenticationException {
>   csrfToken = ESAPI.randomizer().getRandomString(8,
> Encoder.CHAR_ALPHANUMERICS);
>   return csrfToken;
> }

Thanks for bringing this to our attention. I opened Google Issue 257
(http://code.google.com/p/owasp-esapi-java/issues/detail?id=257)
regarding this.

As far as being worried about it in uses like this (within ESAPI),
as an ESAPI _user_, you shouldn't really need to be concerned
in cases like that. You would however need to be concerned if
you intended to use the field  Encoder.CHAR_ALPHANUMERICS
*directly* in your own code. We should be able to change
any uses within ESAPI itself and make them transparent to the
ESAPI user community.

Thanks again for bringing this to our notice.
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein


More information about the Esapi-dev mailing list