You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by cm...@apache.org on 2012/07/03 14:22:28 UTC
[3/28] git commit: do not emit 0
do not emit 0
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/29a7c136
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/29a7c136
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/29a7c136
Branch: refs/heads/wicket-1.4.x
Commit: 29a7c1367dade67a4033bc1adac8e52f2f65d579
Parents: ed102d3
Author: Carl-Eric Menzel <cm...@wicketbuch.de>
Authored: Tue Jul 3 13:43:53 2012 +0200
Committer: Carl-Eric Menzel <cm...@wicketbuch.de>
Committed: Tue Jul 3 13:43:53 2012 +0200
----------------------------------------------------------------------
.../wicket/protocol/http/WicketURLDecoder.java | 9 +++----
.../apache/wicket/protocol/http/WicketURLTest.java | 18 +++++++++++++++
2 files changed, 22 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/29a7c136/wicket/src/main/java/org/apache/wicket/protocol/http/WicketURLDecoder.java
----------------------------------------------------------------------
diff --git a/wicket/src/main/java/org/apache/wicket/protocol/http/WicketURLDecoder.java b/wicket/src/main/java/org/apache/wicket/protocol/http/WicketURLDecoder.java
index f3bf8b1..8a8675f 100644
--- a/wicket/src/main/java/org/apache/wicket/protocol/http/WicketURLDecoder.java
+++ b/wicket/src/main/java/org/apache/wicket/protocol/http/WicketURLDecoder.java
@@ -106,7 +106,6 @@ public class WicketURLDecoder
return null;
}
- boolean needToChange = false;
int numChars = s.length();
StringBuffer sb = new StringBuffer(numChars > 500 ? numChars / 2 : numChars);
int i = 0;
@@ -127,7 +126,6 @@ public class WicketURLDecoder
case '+' :
sb.append(decodePlus ? ' ' : '+');
i++;
- needToChange = true;
break;
case '%' :
@@ -180,7 +178,6 @@ public class WicketURLDecoder
"URLDecoder: Illegal hex characters in escape (%) pattern - " +
e.getMessage());
}
- needToChange = true;
break;
default :
@@ -190,6 +187,8 @@ public class WicketURLDecoder
}
}
- return (needToChange ? sb.toString() : s);
+ // no trying to filter out bad escapes beforehand, just kill all null bytes here at the
+ // end, that way none will come through
+ return sb.toString().replace("\0", "NULL");
}
-}
\ No newline at end of file
+}
http://git-wip-us.apache.org/repos/asf/wicket/blob/29a7c136/wicket/src/test/java/org/apache/wicket/protocol/http/WicketURLTest.java
----------------------------------------------------------------------
diff --git a/wicket/src/test/java/org/apache/wicket/protocol/http/WicketURLTest.java b/wicket/src/test/java/org/apache/wicket/protocol/http/WicketURLTest.java
index 49fe109..eb493df 100644
--- a/wicket/src/test/java/org/apache/wicket/protocol/http/WicketURLTest.java
+++ b/wicket/src/test/java/org/apache/wicket/protocol/http/WicketURLTest.java
@@ -46,4 +46,22 @@ public class WicketURLTest extends TestCase
assertEquals(" ", WicketURLDecoder.QUERY_INSTANCE.decode("+", "UTF-8"));
assertEquals("+", WicketURLDecoder.QUERY_INSTANCE.decode("%2B", "UTF-8"));
}
+
+
+ public void testMustNotEmitNullByteForPath() throws Exception
+ {
+ String evil = "http://www.devil.com/highway/to%00hell";
+ String decoded = WicketURLDecoder.PATH_INSTANCE.decode(evil, "UTF-8");
+ assertEquals(-1, decoded.indexOf('\0'));
+ assertEquals("http://www.devil.com/highway/toNULLhell", decoded);
+ }
+
+ public void testMustNotEmitNullByteForQuery() throws Exception
+ {
+ String evil = "http://www.devil.com/highway?destination=%00hell";
+ String decoded = WicketURLDecoder.QUERY_INSTANCE.decode(evil, "UTF-8");
+ assertEquals(-1, decoded.indexOf('\0'));
+ assertEquals("http://www.devil.com/highway?destination=NULLhell", decoded);
+ }
+
}