Page 6 of 13. Showing 123 results (0.007 seconds)

  1. MSC11-J. Do not let session information leak within a servlet

    != null) { out.println("Email Address:"); out.println(sanitize(emailAddr)); out.println("<br>Previous Address:"); out.println(sanitize … { doGet(request, response); } // Filter the specified message string for characters // that are sensitive in HTML. public static String sanitize
  2. Re: ENV03-C. Sanitize the environment when invoking external programs

    Added your extra bad chars to the reject list, and changed the code to 'handle bad-char error' rather than silently change the command. Your other points are difficult to change in the code (or maybe I'm just lazy , so I put disclaimers in the text around the example, noting how difficult it is to properly sanitize
  3. Re: ENV03-C. Sanitize the environment when invoking external programs

    This guideline is stated to be a more specific instance of STR02-C. Sanitize data passed to complex subsystems That guideline has the following "Automated Detection" section: Fortify SCA Version 5.0 can detect violations of this rule. Klocwork Version can detect violations of this rule
  4. Re: TPS01-J. Do not execute interdependent tasks in a bounded thread pool

    the String was a good idea as I'd considered it too but I failed to justify why an Integer or Double type would need to be "sanitized". Migrated to Confluence 4.0
  5. Re: ERR01-J. Do not allow exceptions to expose sensitive information

    How about exceptions that are not transmitted but stored? For example: LOGGER.debug("personalData== "+personalData); In this case, personal information is written to a debug log file without proper sanitization. As a result, private information protected in the database (or other form of secure data repository
  6. Re: IDS00-J. Prevent SQL injection

    should be changed to if ((username.length() > 8) {} instead of >= 8. s/data/input? in different methods must be used to sanitize untrusted user data
  7. Re: JNI00-J. Define wrappers around native methods

    ). Also, I don't get "and sanitizing user input". How is this going to happen in a wrapper method? Migrated to Confluence 4.0
  8. Re: IDS53-J. Prevent XPath Injection

    The OWASP stuff is useful for penetration testers and for verification that the system is not vulnerable to the said attacks. You can always say in the intro "if your application accepts the following special characters without sanitization, you are doomed". In any case, white-listing is unfeasible when you must allow
  9. Re: IDS14-J. Do not trust the contents of hidden form fields

    Two more comments: The sanitize() method has a level of commenting that is not consistent with our other methods.  Clearly this is better, but it sort of raises the question of why we aren't doing this everywhere. After Benito went through all our C rules and added the includes, I've sort of taken to adding
  10. Re: ERR01-J. Do not allow exceptions to expose sensitive information

    In Noncompliant Code Example (Wrapping and Rethrowing Sensitive Exception): IOException is a checked exception and NOT unchecked. Text needs to be changed - just say wrap the exception and rethrow. Can this sentence be reworded - queries that result in the sanitized message exclude the requested file