[OWASP-ESAPI] Encoding implementation issue...

Ed Schaller schallee at darkmist.net
Tue Dec 8 18:59:35 EST 2009

I'm in the process of back porting some changes from 2.0 to 1.4 and came
across something that would seem very troubling. Many of the codecs have
code similar to this from PercentCodec

		// check for alphanumeric characters
		String hex = Codec.getHexForNonAlphanumeric(c);
		if ( hex == null ) {
			return ""+c;

Here is the implementation of getHexForNonAlphanumeric(char):

	public static String getHexForNonAlphanumeric( char c ) {
		if ( c > 0xFF ) return null;
		return hex[c];

The c>0xFF is the problem. I'm guessing that this is here to keep
an ArrayOutOfBoundsException indexing the hex array which has 256
entries. While this will keep that from happening it has one major side
affect: characters with values > 0xFF will NEVER be encoded by the codecs
implemented in this manner. This would imply that these encoders are
not safe unless all character values > 0xFF are safe...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091208/8a49a941/attachment-0001.bin 

More information about the OWASP-ESAPI mailing list