You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by cm...@apache.org on 2012/07/03 14:22:28 UTC

[5/28] git commit: do not emit 0

do not emit 0


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/4b962cee
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/4b962cee
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/4b962cee

Branch: refs/heads/sandbox/resourcefinder
Commit: 4b962ceefa4a6c4d38039674e9e26251986f59fa
Parents: 40a0df5
Author: Carl-Eric Menzel <cm...@wicketbuch.de>
Authored: Tue Jul 3 00:07:02 2012 +0200
Committer: Carl-Eric Menzel <cm...@wicketbuch.de>
Committed: Tue Jul 3 13:18:59 2012 +0200

----------------------------------------------------------------------
 .../org/apache/wicket/request/UrlDecoderTest.java  |   42 +++++++++++++++
 .../apache/wicket/util/encoding/UrlDecoder.java    |    7 +--
 2 files changed, 45 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/4b962cee/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java
----------------------------------------------------------------------
diff --git a/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java b/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java
new file mode 100644
index 0000000..90d913f
--- /dev/null
+++ b/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.request;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+
+public class UrlDecoderTest
+{
+	@Test
+	public void mustNotEmitNullByteForPath() throws Exception
+	{
+		String evil = "http://www.devil.com/highway/to%00hell";
+		String decoded = UrlDecoder.PATH_INSTANCE.decode(evil, "UTF-8");
+		assertEquals(-1, decoded.indexOf('\0'));
+		assertEquals("http://www.devil.com/highway/toNULLhell", decoded);
+	}
+
+	@Test
+	public void mustNotEmitNullByteForQuery() throws Exception
+	{
+		String evil = "http://www.devil.com/highway?destination=%00hell";
+		String decoded = UrlDecoder.QUERY_INSTANCE.decode(evil, "UTF-8");
+		assertEquals(-1, decoded.indexOf('\0'));
+		assertEquals("http://www.devil.com/highway?destination=NULLhell", decoded);
+	}
+}

http://git-wip-us.apache.org/repos/asf/wicket/blob/4b962cee/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java
----------------------------------------------------------------------
diff --git a/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java b/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java
index 5f6d756..1bffa23 100644
--- a/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java
+++ b/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java
@@ -89,7 +89,6 @@ public class UrlDecoder
 			return null;
 		}
 
-		boolean needToChange = false;
 		int numChars = s.length();
 		StringBuilder sb = new StringBuilder(numChars > 500 ? numChars / 2 : numChars);
 		int i = 0;
@@ -110,7 +109,6 @@ public class UrlDecoder
 				case '+' :
 					sb.append(decodePlus ? ' ' : '+');
 					i++;
-					needToChange = true;
 					break;
 
 				case '%' :
@@ -163,7 +161,6 @@ public class UrlDecoder
 							"URLDecoder: Illegal hex characters in escape (%) pattern - " +
 								e.getMessage());
 					}
-					needToChange = true;
 					break;
 
 				default :
@@ -173,6 +170,8 @@ public class UrlDecoder
 			}
 		}
 
-		return (needToChange ? sb.toString() : s);
+		// no trying to filter out bad escapes beforehand, just kill all null bytes here at the end,
+		// that way none will come through
+		return sb.toString().replace("\0", "NULL");
 	}
 }
\ No newline at end of file