Kevin W. Wall
Kevin W. Wall
Unless anyone has some objection, I propose that ESAPI's `DefaultRandomizer.getRandomGUID()` should just call the static method, ```java UUID.randomUUID() ``` where the `UUID` class is `java.util.UUID`. That returns a Type 4...
Oh, I will note it as @deprecated as well. -kevin On Mon, Aug 22, 2022, 6:55 PM jeremiahjstacey ***@***.***> wrote: > If this method was created to fill a void...
Why not make a new class, say DefaultUTF8Encoder. If people want to use that one, then can just specify something like: ESAPI.Encoder=org.owasp.esapi.reference.DefaultUTF8Encoder in their ESAPI.properties file. That's more or less...
If concerned about people complaining about the upgrade to the UTF-8 encoder, we could leave the default as is (DefaultEncoder) and just mention the alternative (DefaultUTF8Encoder, or whatever you want...
Isn't the usual approach to go with the longest match? -kevin -- Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall NSA: All your crypto bit are belong to us. On Sun, Sep 1,...
Works for me. I think I was thinking of regex matching. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall NSA: All your crypto bit are belong to us. On Sun, Sep...
@xeno6696 - You did. I still have it in my inbox. It was from Alessandro Giannone and said "Any chance the percent encoding is working with UTF-8?" Perhaps he deleted...
Since this is still open, I wanted to toss out what seems like a useful resource, at least to me: - [UTR#36: Unicode Security Considerations](https://unicode.org/reports/tr36/)
I am dropping the priority of this issue from **Critical** to **High** since if it has not been fixed since 2011 and the last comment on it is from 2014...
Looking at this implementation more closely, the `accountName` is combined with the (presumably?) secret `Encryptor.MasterSalt `from the **ESAPI.properties** file. SHA-512 is used as the hash algorithm, but only 1024 iterations...