Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

ESAPI functions break systemOutput under load

Description

If the OWASP ESAPI methods in Lucee, such as encodeForHTMLAttribute(), are called under load, System.out appears to get permanently redirected to dev/null. That is, it breaks systemOutput().

I put together a repro case here: https://github.com/mjclemente/lucee-owasp-error-repro

Environment

CommandBox

Activity

Show:

Zac Spitzer 9 April 2020 at 23:44

Brad Wood 9 April 2020 at 22:43

Thanks for addressing this

Michael Offner 9 April 2020 at 22:37

sidenote, SystemOutput itself also no longer is affected on any manipulation to System.out and System.err at all.

Michael Offner 9 April 2020 at 22:34

Michael Offner 9 April 2020 at 22:26

removed all system.err|out manipulation and set system property “org.owasp.esapi.logSpecial.discard“ that suppresses all output created by the library.

it was also necessary to update the ESAPI jar to 2.2.0.0, because the above setting was not supported before.

https://github.com/lucee/extension-esapi/commit/9153707149e86eac57eb5ee1ed9862399adcd880

Fixed

Details

Assignee

Reporter

Priority

Labels

Fix versions

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

Affects versions

Created 6 March 2020 at 21:11
Updated 8 May 2020 at 18:34
Resolved 9 April 2020 at 22:36

Flag notifications