New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

request.setCharacterEncoding 编码问题 #84

Closed

CaledoniaProject opened this issue Dec 20, 2017 · 1 comment

Labels

bug

Collaborator

CaledoniaProject commented Dec 20, 2017

有些情况下，用户可能会先设置请求参数编码，再获取参数，比如这段代码:

request.setCharacterEncoding("utf-8");
String xss = request.getParameter("xss");

当某个JS检测插件调用了 context.parameter 去获取参数，就会导致 Java 以默认的 ISO-8859-1 编码去解码，并缓存这个解码结果

之后应用如果调用 request.setCharacterEncoding 将不会产生任何效果，使用 request.getParameter 获取的值也只会是之前缓存过的、解码错误的数据

解决方案

请用户手动设置编码（最简单）
OpenRASP 挂钩 request.setCharacterEncoding 函数，当用户调用这个函数，就修改缓存里的数据，重新编码
OpenRASP 不主动调用 request.getParameter 函数，当用户调用过之后，context.parameter 才返回数据；否则返回空哈希

The text was updated successfully, but these errors were encountered:

CaledoniaProject added the bug label

Collaborator Author

CaledoniaProject commented Dec 26, 2017 •

edited

Loading

选择方案3，并更新了beta文档 #86

CaledoniaProject closed this as completed

# for free to join this conversation on GitHub. Already have an account? # to comment