You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "oliver z (JIRA)" <ji...@apache.org> on 2013/05/02 10:46:16 UTC

[jira] [Created] (HTTPCORE-338) A security test showed some "warnings"

oliver  z created HTTPCORE-338:
----------------------------------

             Summary: A security test showed some "warnings"
                 Key: HTTPCORE-338
                 URL: https://issues.apache.org/jira/browse/HTTPCORE-338
             Project: HttpComponents HttpCore
          Issue Type: Bug
          Components: HttpCore
    Affects Versions: 4.2.4
            Reporter: oliver  z


I use HttpCore 4.2.4 and HttpClient 4.2.5 in a project which just got scanned by a security framework that showed me some warnings and i would like to know if that is a real risk or just a false positive.
ChunkedOutputStream.java 97
ChunkedOutputStream.java 109
ChunkedOutputStream.java 110
ContentLengthOutputStream.java 119

It says it should be avoided to directly embed user input in log files. User-supplied data should be sanitized to construct log entries and a safe logging mechanism should be used like OWASP ESAPI logger which automatically removes unexpected carriage returns and line feeds. User supplied data should always be validated.



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org