|
| 1 | +Release notes for ESAPI 2.1.0.1 |
| 2 | + Release date: 2016-Feb-?? |
| 3 | + -Kevin W. Wall < [email protected]> |
| 4 | + |
| 5 | +Previous release: ESAPI 2.1.0, Sept 2013 |
| 6 | + |
| 7 | + |
| 8 | +----------------------------------------------------------------------------- |
| 9 | + GitHub Issues fixed in this release: |
| 10 | + 35 issues closed |
| 11 | + |
| 12 | +32 - URLs in doc for HTTPUtilities.setNoCacheHeaders are wrong |
| 13 | +58 - Separate Crypto Related Properties into Separate File |
| 14 | + Fixed as part of issue #350. Can be addressed by placing sensitive |
| 15 | + ESAPI crypto properties into a separate properties file controlled by |
| 16 | + the operations team and not checked into your SCM. For further details, |
| 17 | + see documentation/ESAPI-configuration-user-guide.md and use system property |
| 18 | + org.owasp.esapi.opsteam. |
| 19 | +96 - Need validation configuration enhancements |
| 20 | +103 - Make ESAPI configuration XML |
| 21 | +200 - DefaultHttpUtilities.sendRedirect should throw AccessControlException, not IOException |
| 22 | +205 - BaseValidationRule.assertValid(String context, String input) causes NPE if input is not valid. |
| 23 | +221 - IntrusionException should extend EnterpriseRuntimeException |
| 24 | +229 - printStackTrace when loading configuration file |
| 25 | +237 - how can we use esapi in java for validation,please see files attached containing java code and for errors |
| 26 | +261 - Could not set multiple cookies one by one at single request |
| 27 | +275 - Log4JLogger.java doesn't output correct file & line number because FQCN isn't forwarded to Log4J |
| 28 | +276 - Patch for /branches/2.1/src/main/java/org/owasp/esapi/reference/DefaultExecutor.java |
| 29 | +287 - Patch for /branches/2.1/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java |
| 30 | +288 - Patch for /trunk/src/test/java/org/owasp/esapi/reference/UserTest.java |
| 31 | +289 - ClickjackFilter after doFilter |
| 32 | +306 - Canonicalizing "%Device% changes the meaning of the input string |
| 33 | +313 - Insecure default configuation for Executor.ApprovedExecutables in ESAPI.properties file |
| 34 | +315 - ValidatorTest.testIsValidDate fails if default locale is not US |
| 35 | +318 - Incorrect Equality test on floating point values |
| 36 | +319 - Resource leak: FileInputStream is not closed on method exit |
| 37 | +321 - Unsynchronized get method, synchronized set method |
| 38 | +322 - RequestRateThrottleFilter may not work as expected with hits=1 or hits=2 |
| 39 | +323 - PolicyFactory Sanitize method weird output |
| 40 | +328 - StringUtils.union broken which has minor impact on CSRF Protection and random file name generation |
| 41 | +330 - setHeader blocks legitimate headers due to header name size limit being too low |
| 42 | +331 - Log4j configuration with no root level causes NPE in Log4jLogger.java |
| 43 | +334 - Regex in ESAPI.properties is not considering few of the french characters |
| 44 | +336 - Log4JLogger.java doesn't output correct file & line number-Similar issue as reported in Issue 268 |
| 45 | +344 - JUnit test failure in ValidatorTest.testGetValidSafeHTML() |
| 46 | +345 - JUnit test failure in ValidatorTest.testIsValidDate() |
| 47 | +347 - Fixes #345 - JUnit test failure in ValidatorTest.testIsValidDate() |
| 48 | +349 - Package correctly the esapi.tld into ESAPI jar |
| 49 | +350 - [ESAPI Spring Code Sprint – May / June 2015] Implementation of requirements |
| 50 | +351 - getHeader length limit error |
| 51 | +354 - Add stern javadoc warning about Base64.decodeToObject() being unsafe and mark method as deprecated. |
| 52 | + Note: This method no longer functions unless the system property org.owasp.esapi.enableUnsafeSerialization |
| 53 | + is set to "true". This breaks backward compatibility in favor of taking a more secure posture. |
| 54 | +355 - Temp files created by org.owasp.esapi.waf.internal.InterceptingServletOutputStream not removed by WAF JUnit tests |
| 55 | +356 - Make end-of-line terminators consistent for .java, .xml, and other ESAPI source files. |
| 56 | +359 - CodecTest unit tests never test with a populated char array. |
| 57 | + |
| 58 | + |
| 59 | +----------------------------------------------------------------------------- |
| 60 | + |
| 61 | + Other changes in this release not tracked via GitHub issues |
| 62 | + |
| 63 | +* Miscellaneous minor javadoc fixes and updates. |
| 64 | +* Fixed grammatical error in CipherTextSerializer class error message. |
| 65 | +* Upgraded versions of several ESAPI dependencies (i.e., 3rd party jars), including several that had unpatched CVEs. |
| 66 | +* Added the Maven plug-in for OWASP Dependency Check so 3rd party dependencies can be kept up-to-date. |
| 67 | +* Added .gitignore file so that certain files won't get accidentally commited such as IDE files. |
| 68 | +* Added .gitattributes file so to help resolve end-of-line issues. (Part of issue 356.) |
| 69 | +* Added new documentation (documentation/ESAPI-configuration-user-guide.md) describing new ESAPI configuration feature. |
| 70 | +* Changed many assertions in ESAPI crypto to explicit runtime checks that |
| 71 | + throw IllegalArgumentException instead. |
| 72 | + |
| 73 | +----------------------------------------------------------------------------- |
| 74 | + ATTENTION: Other Important Notes |
| 75 | + |
| 76 | +The JUnit test AuthenticatorTest.setCurrentUser() is periodically failing |
| 77 | +due to an apparent race condition either in the test itself or in |
| 78 | +FileBasedAuthenticator. See GitHub issue #360 for details, including |
| 79 | +why we don't think it is worth holding up the release for. |
| 80 | + |
| 81 | +----------------------------------------------------------------------------- |
| 82 | + |
| 83 | + Contributors for ESAPI 2.1.0.1 release |
| 84 | + |
| 85 | +Notice: My appologies if I've missed anyone, but you did have an opportunity |
| 86 | + to send me your names. (I solicited for contributors names to emails |
| 87 | + to the ESAPI-Dev and ESAPI-User mailing lists sent on 1/23/2016.) |
| 88 | + If I missed you and you contributed to THIS release, please send |
| 89 | + me an email with your first and last name and what your SPECIFIC |
| 90 | + contribution was and I will see you name is added to this list. |
| 91 | + - Kevin W. Wall |
| 92 | + |
| 93 | +Project co-leaders |
| 94 | + Kevin W. Wall (kwwall) |
| 95 | + Chris Schmidt (chrisisbeef) |
| 96 | + |
| 97 | +Special shout-outs to: |
| 98 | + Matt Seil (xeno6696) |
| 99 | + Jeremiah Stacey (jeremiahjstacey) |
| 100 | + |
| 101 | +Special contributions: |
| 102 | + ESAPI Hackathon participants - November 18, 2014 - January 20, 2014 |
| 103 | + Daniel Amodio |
| 104 | + Eric Kobrin |
| 105 | + Eric Citaire |
| 106 | + Eamonn Washington |
| 107 | + John Melton |
| 108 | + Special thanks to Samantha Groves for assisting with the ESAPI hackathon |
| 109 | + |
| 110 | + Professor and students involved in ESAPI Spring Code Sprint (May - June, 2015): |
| 111 | + Marek Zachara - instructor |
| 112 | + Patryk Bak - student |
| 113 | + Marcin Siedlarz - student |
| 114 | + Szymon Bobowiec - student |
| 115 | + Karol Kapcia - student |
| 116 | + Fabio Cerullo - OWASP board coordination for code sprint |
| 117 | + |
| 118 | +Other Contributors: |
| 119 | + Karan Sanwal |
| 120 | + Arpit Gupta |
| 121 | + Constantino Cronemberger |
| 122 | + Tàrin Gamberìni |
| 123 | + Kad Dembele |
| 124 | + Anthony Musyoki |
| 125 | + Andrew VanLoo |
| 126 | + Ashish Tripathy |
0 commit comments