[Esapi-user] Bug in HttpUtilities with empty cookie value
chris.schmidt at owasp.org
Wed Nov 9 11:34:44 EST 2011
We would never hate someone for bringing us bug fixes! :)
Anyhow, that being said - I will look into all of these over the weekend and
get back to you. Just wanted to let ya know we aren't ignoring you, just a
busy time of year for most of us I think!
Thanks, and keep em comin!
On 11/8/11 10:00 AM, "Olivier Jaquemet" <olivier.jaquemet at jalios.com> wrote:
> Me again,
> Damn... you are going to hate me after all my posts on this mailing list...
> My apologies if I should have reported the bugs directly on the ESAPI
> bug tracker. But I always prefer discussing an issue before, as I may
> not be aware of the original reason some behavior is applied or not...
> Anyway, here is the latest bug discovered with DefaultHttpUtilities
> implementation of addCookie().
> If an empty value is specified, the cookie is not validated and not sent
> in the response.
> For example this code will not work as expected :
> Cookie cookie = new Cookie("foobar", "")
> ESAPI.httpUtilities().addCookie(response, cookie);
> This code seems legitimate (used to delete a cookie on the browser) and
> has been working fine on all major app servers for years (Tomcat,
> WebLogic, WebSphere and Resin).
> The fix lies in two places :
> 1. in addCookie(), allow null value
> String cookieValue = ESAPI.validator().getValidInput("cookie
> value", value, "HTTPCookieValue", 5000, true /*was false*/, errors);
> 2. in createCookieHeader(), support null value and send empty cookie
> value (use quoted string to match behavior of Tomcat, which works fine
> with all browser) :
> String header = name + "=" + ((value == null) ? "\"\"" : value) ;
> PS : I don't want to sound condescending as I have no experience in
> security, and might be wrong with all those bug reports, but 4 bugs
> related to cookie management, it makes you wonder if anybody is using
> ESAPI to protect their cookie or if I am completely stupid and do not
> use the API as planned :/
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
More information about the Esapi-user