[
https://issues.apache.org/jira/browse/HTTPCORE-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oleg Kalnichevski resolved HTTPCORE-338.
----------------------------------------
Resolution: Not A Problem
Warnings about ChunkedOutputStream, IdentityOutputStream and
ContentLengthOutputStream are completely bogus. Those are low level transport
classes that never deal with user input directly. AuthenticationStrategyImpl is
somewhat a better catch. It does log host name and port of the peer endpoint
HttpClient attempts to authenticate against but I do not think this represents
a security issue in any form or fashion. Besides, the entry is logged with
DEBUG priority only.
Oleg
> A security test showed some "warnings"
> --------------------------------------
>
> Key: HTTPCORE-338
> URL: https://issues.apache.org/jira/browse/HTTPCORE-338
> Project: HttpComponents HttpCore
> Issue Type: Bug
> Components: HttpCore
> Affects Versions: 4.2.4
> Reporter: oliver z
>
> I use HttpCore 4.2.4 and HttpClient 4.2.5 in a project which just got scanned
> by a security framework that showed me some warnings and i would like to know
> if that is a real risk or just a false positive.
> ChunkedOutputStream.java 97
> ChunkedOutputStream.java 109
> ChunkedOutputStream.java 110
> ContentLengthOutputStream.java 119
> It says it should be avoided to directly embed user input in log files.
> User-supplied data should be sanitized to construct log entries and a safe
> logging mechanism should be used like OWASP ESAPI logger which automatically
> removes unexpected carriage returns and line feeds. User supplied data should
> always be validated.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
