You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

Using locale-sensitive methods on locale-sensitive data can produce unexpected results if the no locale is specified . Programming language identifiers, protocol keys and HTML tags are often specified in a particular locale, usually Locale.ENGLISH. It may even be possible to bypass input filters by changing the default locale, which can alter the behavior of locale-sensitive methods. For example, when a string is converted to uppercase, it may be declared valid; however, changing the string back to lower case during subsequent execution may result in a black-listed string.

Any program which invokes local-sensitive methods on untrusted data must explicitly specify the locale to use with these methods.

Noncompliant Code Example

This noncompliant code example uses the locale-sensitive String.toUpperCase() method to convert an HTML tag to uppercase. While the English locale would convert "title" to "TITLE", using the Turkish locale will produce the string "T?TLE" in the Turkish locale where '?' is the Latin capital letter 'I' with a dot above the character [[API 2006]].

"title".toUpperCase();

Compliant Solution

This compliant solution explicitly sets the locale to English to avoid unexpected results.

"title".toUpperCase(Locale.ENGLISH);

This guideline also applies to the String.equalsIgnoreCase() method.

Risk Assessment

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

IDS16-J

medium

probable

medium

P8

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

[[API 2006]] Class String


      13. Input Validation and Data Sanitization (IDS)      IDS17-J. Understand how escape characters are interpreted when String literals are compiled

  • No labels