[Esapi-user] (no subject)

Jim Manico jim.manico at owasp.org
Sun Aug 8 23:48:03 EDT 2010


Folks,

 

I changed the ESAPI 2.0 Validator reference implementation to return an
empty string, or null as appropriate for the getValidX functions with the
errorList argument. These used to return the original (tainted) input data. 

 

This is a subtle but significant change.

 

The full "diff" of this change is below. Thoughts?

 

- Jim

 

 

 

 

### Eclipse Workspace Patch 1.0

#P ESAPI 2.0 (trunk)

Index: src/main/java/org/owasp/esapi/reference/DefaultValidator.java

===================================================================

--- src/main/java/org/owasp/esapi/reference/DefaultValidator.java
(revision 1470)

+++ src/main/java/org/owasp/esapi/reference/DefaultValidator.java   (working
copy)

@@ -192,9 +192,8 @@

                                } catch (ValidationException e) {

                                                errors.addError(context, e);

                                }

-                              // error has been added to list, so return
original input 

-                              // TODO - optimize so that invalid input is
not canonicalized twice

-                              return encoder.canonicalize(input);

+

+                             return "";

                }

 

                /**

@@ -264,8 +263,8 @@

                                } catch (ValidationException e) {

                                                errors.addError(context, e);

                                }

-                              // error has been added to list, so return
original input 

-                              return input;

+

+                             return "";

                }

 

                /**

@@ -298,9 +297,8 @@

                                } catch (ValidationException e) {

                                                errors.addError(context, e);

                                }

-                              // error has been added to list, so return
original input 

-                              // TODO - optimize so that invalid input is
not canonicalized twice

-                              return encoder.canonicalize(input);

+                             

+                             return "";

                }

 

                /**

@@ -370,8 +368,8 @@

                                } catch (ValidationException e) {

                                                errors.addError(context, e);

                                }

-                              // error has been added to list, so return
original input 

-                              return input;

+

+                             return "";

                }

 

 

@@ -448,14 +446,8 @@

                                } catch (ValidationException e) {

                                                errors.addError(context, e);

                                }

-                              // error has been added to list, so return
original input  

-                              // TODO - optimize so that invalid input is
not canonicalized twice

-                              try {

-                                              return new
File(input).getCanonicalFile().getName();

-                              } catch (IOException e) {

-                                              // TODO = consider logging
canonicalization error?

-                                              return input;

-                              }

+                             

+                             return "";

                }

                

                /**

@@ -488,7 +480,7 @@

                                } catch (ValidationException e) {

                                                errors.addError(context, e);

                                }

-                              // error has been added to list, so return
null 

+

                                return null;

                }

                

@@ -597,8 +589,8 @@

                                } catch (ValidationException e) {

                                                errors.addError(context, e);

                                }

-                              // error has been added to list, so return
original input 

-                              return input;

+                             // return empty byte array on error

+                             return new byte[0];

                }

                

                /**

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100808/bfde47b8/attachment.html 


More information about the Esapi-user mailing list