ui-multiple-nics - CLOUDSTACK-1625. NPE with updateResourceCount when && is passed thru API. If any API contains '&' i.e. no key value pair or '&' i.e. a parameter without a value, then we get an NPE as owasp.

bfederle Wed, 13 Mar 2013 10:14:03 -0700

CLOUDSTACK-1625. NPE with updateResourceCount when && is passed thru API.
If any API contains '&' i.e. no key value pair or '&<paramter-name>' i.e. a 
parameter without a value, then we get an NPE as 
owasp.esapi.StringUtilities.stripControls deosn't handle NPE.



Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: 
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/da89946c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/da89946c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/da89946c

Branch: refs/heads/ui-multiple-nics
Commit: da89946ca93a872d0a4bf907d4545c392b2055f1
Parents: c235d02
Author: Likitha Shetty <[email protected]>
Authored: Tue Mar 12 11:56:21 2013 +0530
Committer: Likitha Shetty <[email protected]>
Committed: Tue Mar 12 12:00:46 2013 +0530

----------------------------------------------------------------------
 server/src/com/cloud/api/ApiServer.java |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/da89946c/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java 
b/server/src/com/cloud/api/ApiServer.java
index deb5e12..0439c6e 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -327,10 +327,12 @@ public class ApiServer implements HttpRequestHandler, 
ApiServerService {
                     }
                     String[] value = (String[]) params.get(key);
                     // fail if parameter value contains ASCII control 
(non-printable) characters
-                    String newValue = 
StringUtils.stripControlCharacters(value[0]);
-                    if ( !newValue.equals(value[0]) ) {
-                        throw new ServerApiException(ApiErrorCode.PARAM_ERROR, 
"Received value " + value[0] + " for parameter "
-                                + key + " is invalid, contains illegal ASCII 
non-printable characters");
+                    if (value[0] != null) {
+                        String newValue = 
StringUtils.stripControlCharacters(value[0]);
+                        if ( !newValue.equals(value[0]) ) {
+                            throw new 
ServerApiException(ApiErrorCode.PARAM_ERROR, "Received value " + value[0] + " 
for parameter "
+                                    + key + " is invalid, contains illegal 
ASCII non-printable characters");
+                        }
                     }
                     paramMap.put(key, value[0]);
                 }

[8/35] git commit: refs/heads/ui-multiple-nics - CLOUDSTACK-1625. NPE with updateResourceCount when && is passed thru API. If any API contains '&' i.e. no key value pair or '&' i.e. a parameter without a value, then we get an NPE as owasp.

Reply via email to