do not emit 0
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/3f5cd4ab Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/3f5cd4ab Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/3f5cd4ab Branch: refs/heads/wicket-1.5.x Commit: 3f5cd4ab5e4c0a159f4e5f070e6b4d9d2f72da23 Parents: d5041e2 Author: Carl-Eric Menzel <cmen...@wicketbuch.de> Authored: Tue Jul 3 00:07:02 2012 +0200 Committer: Carl-Eric Menzel <cmen...@wicketbuch.de> Committed: Tue Jul 3 00:07:02 2012 +0200 ---------------------------------------------------------------------- .../java/org/apache/wicket/request/UrlDecoder.java | 7 +-- .../org/apache/wicket/request/UrlDecoderTest.java | 42 +++++++++++++++ 2 files changed, 45 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/3f5cd4ab/wicket-request/src/main/java/org/apache/wicket/request/UrlDecoder.java ---------------------------------------------------------------------- diff --git a/wicket-request/src/main/java/org/apache/wicket/request/UrlDecoder.java b/wicket-request/src/main/java/org/apache/wicket/request/UrlDecoder.java index 2c361fe..d0564eb 100644 --- a/wicket-request/src/main/java/org/apache/wicket/request/UrlDecoder.java +++ b/wicket-request/src/main/java/org/apache/wicket/request/UrlDecoder.java @@ -89,7 +89,6 @@ public class UrlDecoder return null; } - boolean needToChange = false; int numChars = s.length(); StringBuilder sb = new StringBuilder(numChars > 500 ? numChars / 2 : numChars); int i = 0; @@ -110,7 +109,6 @@ public class UrlDecoder case '+' : sb.append(decodePlus ? ' ' : '+'); i++; - needToChange = true; break; case '%' : @@ -163,7 +161,6 @@ public class UrlDecoder "URLDecoder: Illegal hex characters in escape (%) pattern - " + e.getMessage()); } - needToChange = true; break; default : @@ -173,6 +170,8 @@ public class UrlDecoder } } - return (needToChange ? sb.toString() : s); + // no trying to filter out bad escapes beforehand, just kill all null bytes here at the end, + // that way none will come through + return sb.toString().replace("\0", "NULL"); } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/wicket/blob/3f5cd4ab/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java ---------------------------------------------------------------------- diff --git a/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java b/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java new file mode 100644 index 0000000..90d913f --- /dev/null +++ b/wicket-request/src/test/java/org/apache/wicket/request/UrlDecoderTest.java @@ -0,0 +1,42 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.wicket.request; + +import static org.junit.Assert.assertEquals; + +import org.junit.Test; + +public class UrlDecoderTest +{ + @Test + public void mustNotEmitNullByteForPath() throws Exception + { + String evil = "http://www.devil.com/highway/to%00hell"; + String decoded = UrlDecoder.PATH_INSTANCE.decode(evil, "UTF-8"); + assertEquals(-1, decoded.indexOf('\0')); + assertEquals("http://www.devil.com/highway/toNULLhell", decoded); + } + + @Test + public void mustNotEmitNullByteForQuery() throws Exception + { + String evil = "http://www.devil.com/highway?destination=%00hell"; + String decoded = UrlDecoder.QUERY_INSTANCE.decode(evil, "UTF-8"); + assertEquals(-1, decoded.indexOf('\0')); + assertEquals("http://www.devil.com/highway?destination=NULLhell", decoded); + } +}