You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by cm...@apache.org on 2012/07/03 14:22:28 UTC
[5/28] git commit: do not emit 0
do not emit 0
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/4b962cee
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/4b962cee
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/4b962cee
Branch: refs/heads/sandbox/resourcefinder
Commit: 4b962ceefa4a6c4d38039674e9e26251986f59fa
Parents: 40a0df5
Author: Carl-Eric Menzel <cm...@wicketbuch.de>
Authored: Tue Jul 3 00:07:02 2012 +0200
Committer: Carl-Eric Menzel <cm...@wicketbuch.de>
Committed: Tue Jul 3 13:18:59 2012 +0200
----------------------------------------------------------------------
.../org/apache/wicket/request/UrlDecoderTest.java | 42 +++++++++++++++
.../apache/wicket/util/encoding/UrlDecoder.java | 7 +--
2 files changed, 45 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/4b962cee/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java
----------------------------------------------------------------------
diff --git a/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java b/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java
new file mode 100644
index 0000000..90d913f
--- /dev/null
+++ b/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.request;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+
+public class UrlDecoderTest
+{
+ @Test
+ public void mustNotEmitNullByteForPath() throws Exception
+ {
+ String evil = "http://www.devil.com/highway/to%00hell";
+ String decoded = UrlDecoder.PATH_INSTANCE.decode(evil, "UTF-8");
+ assertEquals(-1, decoded.indexOf('\0'));
+ assertEquals("http://www.devil.com/highway/toNULLhell", decoded);
+ }
+
+ @Test
+ public void mustNotEmitNullByteForQuery() throws Exception
+ {
+ String evil = "http://www.devil.com/highway?destination=%00hell";
+ String decoded = UrlDecoder.QUERY_INSTANCE.decode(evil, "UTF-8");
+ assertEquals(-1, decoded.indexOf('\0'));
+ assertEquals("http://www.devil.com/highway?destination=NULLhell", decoded);
+ }
+}
http://git-wip-us.apache.org/repos/asf/wicket/blob/4b962cee/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java
----------------------------------------------------------------------
diff --git a/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java b/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java
index 5f6d756..1bffa23 100644
--- a/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java
+++ b/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlDecoder.java
@@ -89,7 +89,6 @@ public class UrlDecoder
return null;
}
- boolean needToChange = false;
int numChars = s.length();
StringBuilder sb = new StringBuilder(numChars > 500 ? numChars / 2 : numChars);
int i = 0;
@@ -110,7 +109,6 @@ public class UrlDecoder
case '+' :
sb.append(decodePlus ? ' ' : '+');
i++;
- needToChange = true;
break;
case '%' :
@@ -163,7 +161,6 @@ public class UrlDecoder
"URLDecoder: Illegal hex characters in escape (%) pattern - " +
e.getMessage());
}
- needToChange = true;
break;
default :
@@ -173,6 +170,8 @@ public class UrlDecoder
}
}
- return (needToChange ? sb.toString() : s);
+ // no trying to filter out bad escapes beforehand, just kill all null bytes here at the end,
+ // that way none will come through
+ return sb.toString().replace("\0", "NULL");
}
}
\ No newline at end of file