Author: doogie
Date: Mon Aug 2 14:46:15 2010
New Revision: 981532
URL: http://svn.apache.org/viewvc?rev=981532&view=rev
Log:
More StringUtil tests; This also tests double-encoding detection, which
required changing the type of defaultWebEncoder.
Modified:
ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java
Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=981532&r1=981531&r2=981532&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
(original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java Mon Aug
2 14:46:15 2010
@@ -46,7 +46,7 @@ import org.owasp.esapi.Validator;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.HTMLEntityCodec;
import org.owasp.esapi.codecs.PercentCodec;
-import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.IntrusionException;
import org.owasp.esapi.reference.DefaultEncoder;
import org.owasp.esapi.reference.DefaultValidator;
@@ -62,7 +62,7 @@ public class StringUtil {
/** OWASP ESAPI canonicalize strict flag; setting false so we only get
warnings about double encoding, etc; can be set to true for exceptions and more
security */
public static final boolean esapiCanonicalizeStrict = false;
- public static final Encoder defaultWebEncoder;
+ public static final DefaultEncoder defaultWebEncoder;
public static final Validator defaultWebValidator;
static {
// possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec,
MySQLCodec, OracleCodec, PercentCodec, UnixCodec, VBScriptCodec, WindowsCodec
@@ -540,7 +540,7 @@ public class StringUtil {
// canonicalize, strict (error on double-encoding)
try {
value = defaultWebEncoder.canonicalize(value, true);
- } catch (EncodingException e) {
+ } catch (IntrusionException e) {
// NOTE: using different log and user targeted error messages to
allow the end-user message to be less technical
Debug.logError("Canonicalization (format consistency, character
escaping that is mixed or double, etc) error for attribute named [" + valueName
+ "], String [" + value + "]: " + e.toString(), module);
errorMessageList.add("In field [" + valueName + "] found character
escaping (mixed or double) that is not allowed or other format consistency
error: " + e.toString());
Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java?rev=981532&r1=981531&r2=981532&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java Mon Aug 2
14:46:15 2010
@@ -55,6 +55,7 @@ import javolution.util.FastMap;
import org.apache.commons.lang.RandomStringUtils;
import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.IntrusionException;
/**
* HttpUtil - Misc HTTP Utility Functions
@@ -260,7 +261,7 @@ public class UtilHttp {
String cannedStr =
StringUtil.defaultWebEncoder.canonicalize(paramValue,
StringUtil.esapiCanonicalizeStrict);
if (Debug.verboseOn()) Debug.logVerbose("Canonicalized parameter
with " + (cannedStr.equals(paramValue) ? "no " : "") + "change: original [" +
paramValue + "] canned [" + cannedStr + "]", module);
return cannedStr;
- } catch (EncodingException e) {
+ } catch (IntrusionException e) {
Debug.logError(e, "Error in canonicalize parameter value [" +
paramValue + "]: " + e.toString(), module);
return paramValue;
}
Modified:
ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java?rev=981532&r1=981531&r2=981532&view=diff
==============================================================================
---
ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java
(original)
+++
ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java
Mon Aug 2 14:46:15 2010
@@ -18,6 +18,8 @@
*******************************************************************************/
package org.ofbiz.base.util.test;
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -278,7 +280,24 @@ public class StringUtilTests extends Gen
assertEquals("all converions", "one && two || three > four >= five <
six <= seven", StringUtil.convertOperatorSubstitutions("one @and two @or three
@gt four @gteq five @lt six @lteq seven"));
}
+ private static void checkStringForHtmlStrictNone_test(String label, String
fixed, String input, String... wantedMessages) {
+ List<String> gottenMessages = new ArrayList<String>();
+ assertEquals(label, fixed,
StringUtil.checkStringForHtmlStrictNone(label, input, gottenMessages));
+ assertEquals(label, Arrays.asList(wantedMessages), gottenMessages);
+ }
+
public void testCheckStringForHtmlStrictNone() {
+ checkStringForHtmlStrictNone_test("null pass-thru", null, null);
+ checkStringForHtmlStrictNone_test("empty pass-thru", "", "");
+ checkStringForHtmlStrictNone_test("o-numeric-encode", "foo",
"foo");
+ checkStringForHtmlStrictNone_test("o-hex-encode", "foo", "f%6fo");
+ checkStringForHtmlStrictNone_test("o-double-hex-encode", "foo",
"f%256fo");
+ checkStringForHtmlStrictNone_test("<-not-allowed", "f<oo", "f<oo", "In
field [<-not-allowed] less-than (<) and greater-than (>) symbols are not
allowed.");
+ checkStringForHtmlStrictNone_test(">-not-allowed", "f>oo", "f>oo", "In
field [>-not-allowed] less-than (<) and greater-than (>) symbols are not
allowed.");
+ checkStringForHtmlStrictNone_test("high-ascii", "fî", "f%C0%AE");
+ // this looks like a bug, namely the extra trailing ;
+ checkStringForHtmlStrictNone_test("double-ampersand", "f\";oo",
"f%26quot%3boo");
+ checkStringForHtmlStrictNone_test("double-encoding", "%2%353Cscript",
"%2%353Cscript", "In field [double-encoding] found character escaping (mixed or
double) that is not allowed or other format consistency error:
org.owasp.esapi.errors.IntrusionException: Input validation failure");
}
public void testCheckStringForHtmlSafeOnly() {
