Describe the bug
Passing null to either the name or value parameters of SecurityWrapperResponse.setHeader will result in a NullPointerException (within StringUtilities.stripControls). This is almost always undesired behaviour, and contrary to the latest Servlet specification, which states how null values should behave (null header name is a no-op, null header value is a deletion).
Specify what ESAPI version(s) you are experiencing this bug in
2.7.0.0
To Reproduce
- Create an application that wraps the request and response in
SecurityRequestWrapper.
- Attempt to delete a header using
setHeader("myHeader", null)
NullPointerException
Expected behavior
Null values should be ignored by ESAPI and gracefully passed to regular code.
Describe the bug
Passing
nullto either the name or value parameters ofSecurityWrapperResponse.setHeaderwill result in aNullPointerException(withinStringUtilities.stripControls). This is almost always undesired behaviour, and contrary to the latest Servlet specification, which states how null values should behave (null header name is a no-op, null header value is a deletion).Specify what ESAPI version(s) you are experiencing this bug in
2.7.0.0
To Reproduce
SecurityRequestWrapper.setHeader("myHeader", null)NullPointerExceptionExpected behavior
Null values should be ignored by ESAPI and gracefully passed to regular code.