[Esapi-user] DefaultEncoder - constructor must be synhcronized.

Jim Manico jim.manico at owasp.org
Sat Aug 7 23:41:10 EDT 2010


Shlomo,

 

I'd like to release this fix for you soon.  Is it just a matter of making
initializeMaps synchronized?  (private static synchronized void
initializeMaps() to be exact) I think that's it.. anyone have anything to
add before I create a new release candidate? Here is part of the code in
question..

 

 

public class HTMLEntityCodec extends Codec {

      

      private static HashMap<Character,String> characterToEntityMap;

 

      private static HashTrie<Character> entityToCharacterMap;

 

      static {

            initializeMaps();

      }

      

    /**

     *

     */

    public HTMLEntityCodec() {

      }

.

.

.

      private static synchronized void initializeMaps() {

            String[] entityNames = { "quot"

            /* 34 : quotation mark */, "amp"

            /* 38 : ampersand */, "lt"

            /* 60 : less-than sign */, "gt"

            /* 62 : greater-than sign */, "nbsp"

            /* 160 : no-break space */, "iexcl"

            /* 161 : inverted exclamation mark */, "cent"

            /* 162 : cent sign */, "pound"

            /* 163 : pound sign */, "curren"

            /* 164 : currency sign */, "yen"

            /* 165 : yen sign */, "brvbar"

 

From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Shlomo Rothschild
Sent: Sunday, August 01, 2010 6:03 AM
To: esapi-user at lists.owasp.org
Subject: [Esapi-user] DefaultEncoder - constructor must be synhcronized.

 

Hi, 

 

I just found out that the call to the DefaultEncoder constructor  must be
synchronized.

The DefaultEncoder uses HTMLEntityCodec which in turn uses a static HashMap.

When the HashMap is initialized with values by more than one thread it may
cause a severe problem.

 

In our production environment I found one machine utilizing 25% of the CPU
by two threads that are stuck on initializing the DefaultEncoder.

<?xml version="1.0" encoding="utf-8"?>

<stack_trace>

  <threadstackframeinfo ="0" class="java.util.HashMap"
method="put(java.lang.Object, java.lang.Object)" line="374"
source_file="HashMap.java"/>

  <threadstackframeinfo ="1" class="org.owasp.esapi.codecs.HTMLEntityCodec"
method="initializeMaps()" line="808" source_file="HTMLEntityCodec.java"/>

  <threadstackframeinfo ="2" class="org.owasp.esapi.codecs.HTMLEntityCodec"
method="&lt;init&gt;()" line="44" source_file="HTMLEntityCodec.java"/>

  <threadstackframeinfo ="3"
class="org.owasp.esapi.reference.DefaultEncoder" method="&lt;init&gt;()"
line="75" source_file="DefaultEncoder.java"/>

</stack_trace>

 

Shlomo Rothschild | Chief Architect & CISO |  <http://www.unisfair.com/>
Unisfair
P: +972.3.6117300#235 | C: +972.54.3150906

 <http://www.twitter.com/unisfair> www.twitter.com/unisfair |
<http://www.facebook.com/unisfair> www.facebook.com/unisfair

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100807/faac7c73/attachment.html 


More information about the Esapi-user mailing list