-
Notifications
You must be signed in to change notification settings - Fork 364
/
esapi4java-core-2.1.0.1-release-notes.txt
129 lines (111 loc) · 6.64 KB
/
esapi4java-core-2.1.0.1-release-notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
Release notes for ESAPI 2.1.0.1
Release date: 2016-Feb-05
-Kevin W. Wall <kevin.w.wall@gmail.com>
-Chris Schmidt <chris.schmidt@owasp.org>
Previous release: ESAPI 2.1.0, Sept 2013
-----------------------------------------------------------------------------
GitHub Issues fixed in this release:
36 issues closed
32 - URLs in doc for HTTPUtilities.setNoCacheHeaders are wrong
58 - Separate Crypto Related Properties into Separate File
Fixed as part of issue #350. Can be addressed by placing sensitive
ESAPI crypto properties into a separate properties file controlled by
the operations team and not checked into your SCM. For further details,
see documentation/ESAPI-configuration-user-guide.md and use system property
org.owasp.esapi.opsteam.
96 - Need validation configuration enhancements
103 - Make ESAPI configuration XML
200 - DefaultHttpUtilities.sendRedirect should throw AccessControlException, not IOException
205 - BaseValidationRule.assertValid(String context, String input) causes NPE if input is not valid.
221 - IntrusionException should extend EnterpriseRuntimeException
229 - printStackTrace when loading configuration file
237 - how can we use esapi in java for validation,please see files attached containing java code and for errors
254 - Patch for /trunk/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java
261 - Could not set multiple cookies one by one at single request
275 - Log4JLogger.java doesn't output correct file & line number because FQCN isn't forwarded to Log4J
276 - Patch for /branches/2.1/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java
287 - Patch for /branches/2.1/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java
288 - Patch for /trunk/src/test/java/org/owasp/esapi/reference/UserTest.java
289 - ClickjackFilter after doFilter
306 - Canonicalizing "%Device% changes the meaning of the input string
313 - Insecure default configuation for Executor.ApprovedExecutables in ESAPI.properties file
315 - ValidatorTest.testIsValidDate fails if default locale is not US
318 - Incorrect Equality test on floating point values
319 - Resource leak: FileInputStream is not closed on method exit
321 - Unsynchronized get method, synchronized set method
322 - RequestRateThrottleFilter may not work as expected with hits=1 or hits=2
323 - PolicyFactory Sanitize method weird output
328 - StringUtils.union broken which has minor impact on CSRF Protection and random file name generation
330 - setHeader blocks legitimate headers due to header name size limit being too low
331 - Log4j configuration with no root level causes NPE in Log4jLogger.java
334 - Regex in ESAPI.properties is not considering few of the french characters
336 - Log4JLogger.java doesn't output correct file & line number-Similar issue as reported in Issue 268
344 - JUnit test failure in ValidatorTest.testGetValidSafeHTML()
345 - JUnit test failure in ValidatorTest.testIsValidDate()
347 - Fixes #345 - JUnit test failure in ValidatorTest.testIsValidDate()
349 - Package correctly the esapi.tld into ESAPI jar
350 - [ESAPI Spring Code Sprint – May / June 2015] Implementation of requirements
351 - getHeader length limit error
354 - Add stern javadoc warning about Base64.decodeToObject() being unsafe and mark method as deprecated.
Note: This method no longer functions unless the system property org.owasp.esapi.enableUnsafeSerialization
is set to "true". This breaks backward compatibility in favor of taking a more secure posture.
355 - Temp files created by org.owasp.esapi.waf.internal.InterceptingServletOutputStream not removed by WAF JUnit tests
356 - Make end-of-line terminators consistent for .java, .xml, and other ESAPI source files.
359 - CodecTest unit tests never test with a populated char array.
-----------------------------------------------------------------------------
Other changes in this release not tracked via GitHub issues
* Miscellaneous minor javadoc fixes and updates.
* Fixed grammatical error in CipherTextSerializer class error message.
* Upgraded versions of several ESAPI dependencies (i.e., 3rd party jars), including several that had unpatched CVEs.
* Added the Maven plug-in for OWASP Dependency Check so 3rd party dependencies can be kept up-to-date.
* Added .gitignore file so that certain files won't get accidentally commited such as IDE files.
* Added .gitattributes file so to help resolve end-of-line issues. (Part of issue 356.)
* Added new documentation (documentation/ESAPI-configuration-user-guide.md) describing new ESAPI configuration feature.
* Changed many assertions in ESAPI crypto to explicit runtime checks that
throw IllegalArgumentException instead.
-----------------------------------------------------------------------------
ATTENTION: Other Important Notes
The JUnit test AuthenticatorTest.setCurrentUser() is periodically failing
due to an apparent race condition either in the test itself or in
FileBasedAuthenticator. See GitHub issue #360 for details, including
why we don't think it is worth holding up the release for.
-----------------------------------------------------------------------------
Contributors for ESAPI 2.1.0.1 release
Notice: My appologies if I've missed anyone, but you did have an opportunity
to send me your names. (I solicited for contributors names to emails
to the ESAPI-Dev and ESAPI-User mailing lists sent on 1/23/2016.)
If I missed you and you contributed to THIS release, please send
me an email with your first and last name and what your SPECIFIC
contribution was and I will see you name is added to this list.
- Kevin W. Wall
Project co-leaders
Kevin W. Wall (kwwall)
Chris Schmidt (chrisisbeef)
Special shout-outs to:
Matt Seil (xeno6696)
Jeremiah Stacey (jeremiahjstacey)
Special contributions:
ESAPI Hackathon participants - November 18, 2014 - January 20, 2014
Daniel Amodio
Eric Kobrin
Eric Citaire
Eamonn Washington
John Melton
Special thanks to Samantha Groves for assisting with the ESAPI hackathon
Professor and students involved in ESAPI Spring Code Sprint (May - June, 2015):
Marek Zachara - instructor
Patryk Bak - student
Marcin Siedlarz - student
Szymon Bobowiec - student
Karol Kapcia - student
Fabio Cerullo - OWASP board coordination for code sprint
Other Contributors:
Karan Sanwal
Arpit Gupta
Constantino Cronemberger
Tàrin Gamberìni
Kad Dembele
Anthony Musyoki
Andrew VanLoo
Ashish Tripathy
Brad Schoening