hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "oliver z (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCORE-338) A security test showed some "warnings"
Date Thu, 02 May 2013 08:52:17 GMT

    [ https://issues.apache.org/jira/browse/HTTPCORE-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13647387#comment-13647387
] 

oliver  z commented on HTTPCORE-338:
------------------------------------

forgot:
AuthenticationStrategyImpl.java 254
                
> A security test showed some "warnings"
> --------------------------------------
>
>                 Key: HTTPCORE-338
>                 URL: https://issues.apache.org/jira/browse/HTTPCORE-338
>             Project: HttpComponents HttpCore
>          Issue Type: Bug
>          Components: HttpCore
>    Affects Versions: 4.2.4
>            Reporter: oliver  z
>
> I use HttpCore 4.2.4 and HttpClient 4.2.5 in a project which just got scanned by a security
framework that showed me some warnings and i would like to know if that is a real risk or
just a false positive.
> ChunkedOutputStream.java 97
> ChunkedOutputStream.java 109
> ChunkedOutputStream.java 110
> ContentLengthOutputStream.java 119
> It says it should be avoided to directly embed user input in log files. User-supplied
data should be sanitized to construct log entries and a safe logging mechanism should be used
like OWASP ESAPI logger which automatically removes unexpected carriage returns and line feeds.
User supplied data should always be validated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message