OFBiz OFBiz - Commits

svn commit: r981532 - in /ofbiz/trunk/framework/base/src/org/ofbiz/base/util: StringUtil.java UtilHttp.java test/StringUtilTests.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
doogie-3
Reply | Threaded
Open this post in threaded view
|

svn commit: r981532 - in /ofbiz/trunk/framework/base/src/org/ofbiz/base/util: StringUtil.java UtilHttp.java test/StringUtilTests.java

doogie-3
Author: doogie
Date: Mon Aug  2 14:46:15 2010
New Revision: 981532

URL: http://svn.apache.org/viewvc?rev=981532&view=rev
Log:
More StringUtil tests; This also tests double-encoding detection, which
required changing the type of defaultWebEncoder.

Modified:
    ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
    ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
    ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=981532&r1=981531&r2=981532&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java Mon Aug  2 14:46:15 2010
@@ -46,7 +46,7 @@ import org.owasp.esapi.Validator;
 import org.owasp.esapi.codecs.Codec;
 import org.owasp.esapi.codecs.HTMLEntityCodec;
 import org.owasp.esapi.codecs.PercentCodec;
-import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.IntrusionException;
 import org.owasp.esapi.reference.DefaultEncoder;
 import org.owasp.esapi.reference.DefaultValidator;
 
@@ -62,7 +62,7 @@ public class StringUtil {
 
     /** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */
     public static final boolean esapiCanonicalizeStrict = false;
-    public static final Encoder defaultWebEncoder;
+    public static final DefaultEncoder defaultWebEncoder;
     public static final Validator defaultWebValidator;
     static {
         // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec, VBScriptCodec, WindowsCodec
@@ -540,7 +540,7 @@ public class StringUtil {
         // canonicalize, strict (error on double-encoding)
         try {
             value = defaultWebEncoder.canonicalize(value, true);
-        } catch (EncodingException e) {
+        } catch (IntrusionException e) {
             // NOTE: using different log and user targeted error messages to allow the end-user message to be less technical
             Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) error for attribute named [" + valueName + "], String [" + value + "]: " + e.toString(), module);
             errorMessageList.add("In field [" + valueName + "] found character escaping (mixed or double) that is not allowed or other format consistency error: " + e.toString());

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java?rev=981532&r1=981531&r2=981532&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java Mon Aug  2 14:46:15 2010
@@ -55,6 +55,7 @@ import javolution.util.FastMap;
 
 import org.apache.commons.lang.RandomStringUtils;
 import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.IntrusionException;
 
 /**
  * HttpUtil - Misc HTTP Utility Functions
@@ -260,7 +261,7 @@ public class UtilHttp {
             String cannedStr = StringUtil.defaultWebEncoder.canonicalize(paramValue, StringUtil.esapiCanonicalizeStrict);
             if (Debug.verboseOn()) Debug.logVerbose("Canonicalized parameter with " + (cannedStr.equals(paramValue) ? "no " : "") + "change: original [" + paramValue + "] canned [" + cannedStr + "]", module);
             return cannedStr;
-        } catch (EncodingException e) {
+        } catch (IntrusionException e) {
             Debug.logError(e, "Error in canonicalize parameter value [" + paramValue + "]: " + e.toString(), module);
             return paramValue;
         }

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java?rev=981532&r1=981531&r2=981532&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java Mon Aug  2 14:46:15 2010
@@ -18,6 +18,8 @@
  *******************************************************************************/
 package org.ofbiz.base.util.test;
 
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -278,7 +280,24 @@ public class StringUtilTests extends Gen
         assertEquals("all converions", "one && two || three > four >= five < six <= seven", StringUtil.convertOperatorSubstitutions("one @and two @or three @gt four @gteq five @lt six @lteq seven"));
     }
 
+    private static void checkStringForHtmlStrictNone_test(String label, String fixed, String input, String... wantedMessages) {
+        List<String> gottenMessages = new ArrayList<String>();
+        assertEquals(label, fixed, StringUtil.checkStringForHtmlStrictNone(label, input, gottenMessages));
+        assertEquals(label, Arrays.asList(wantedMessages), gottenMessages);
+    }
+
     public void testCheckStringForHtmlStrictNone() {
+        checkStringForHtmlStrictNone_test("null pass-thru", null, null);
+        checkStringForHtmlStrictNone_test("empty pass-thru", "", "");
+        checkStringForHtmlStrictNone_test("o-numeric-encode", "foo", "f&#111;o");
+        checkStringForHtmlStrictNone_test("o-hex-encode", "foo", "f%6fo");
+        checkStringForHtmlStrictNone_test("o-double-hex-encode", "foo", "f%256fo");
+        checkStringForHtmlStrictNone_test("<-not-allowed", "f<oo", "f<oo", "In field [<-not-allowed] less-than (<) and greater-than (>) symbols are not allowed.");
+        checkStringForHtmlStrictNone_test(">-not-allowed", "f>oo", "f>oo", "In field [>-not-allowed] less-than (<) and greater-than (>) symbols are not allowed.");
+        checkStringForHtmlStrictNone_test("high-ascii", "fÀ®", "f%C0%AE");
+        // this looks like a bug, namely the extra trailing ;
+        checkStringForHtmlStrictNone_test("double-ampersand", "f\";oo", "f%26quot%3boo");
+        checkStringForHtmlStrictNone_test("double-encoding", "%2%353Cscript", "%2%353Cscript", "In field [double-encoding] found character escaping (mixed or double) that is not allowed or other format consistency error: org.owasp.esapi.errors.IntrusionException: Input validation failure");
     }
 
     public void testCheckStringForHtmlSafeOnly() {


Free forum by Nabble Edit this page