DecodeFromURL

Report · Oct 11, 2012

This question was posted in response to the following article: http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSf23b27ebc7b554b6-73d00161360b2ca450-7fff.html

Report · Oct 11, 2012

Should note that canonicalize() should be run before passing data to DecodeFromURL() since DecodeFromURL() will throw errors on double and mixed encodings.

see esapi javadoc: https://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#decodeFromURL(java.lang.String)

Report · Oct 11, 2012

Actually, you should NOT call canonicalize before passing to decodeURL. Canonicalize should be called prior to encoding, not decoding.

In fact, calling canonicalize before outputting data to the browser will create security holes.

The reason that the decode methods throw errors when faced with double or mixed encoding is because double/mixed encoding is a red-flag for an attack. If you canonicalize that user input before sticking it on your page you are enabling the attack. Something that was double/mix encoded should NOT be display, especially not in a canonicalized form.

Canonicalize removes all encoding (including URL encoding, so it would not make sense to do it before decodeForURL for that reason either). If you remove all the encoding from an injeciton attack then that injection will likely succeed. If you then intend to reencode properly you would be protected, however you would be hiding a likely attack.

If you are properly canonicalizing prior to encoding data then there is no reason to canonicalize when decoding.

Report · Oct 11, 2012

I was not suggesting that you should directly output the result back to the web page. It should be properly encoded for the output context it will be used.

My problem is that the documentation does not state that it will not accept multiple and/or mixed encodings, which could cause confusion for some people. I was only referencing canonicalize() so that if one needed to deal with multiple and/or mixed encodings which function could deal with it. The original comment was not worded the best.

Report · Oct 12, 2012

DecodeFromURL will throw an error if the input string contains multiple and/or mixed encodings when ESAPI.properties Encoder.AllowMultipleEncoding and

Encoder.AllowMixedEncoding are set to false (default setting for ColdFusion). This is because DecodeFromURL() calls canonicalize internal to itself using the ESAPI.properties to determine how canonicalize should deal with with multiple and/or mixed encodings.

Report · Oct 12, 2012

Of course. I knew that too. Sorry, I was too focused on the idea that completely decoded output is dangerous.

The moral of the story, and the point I was trying to get across, and the reason that AllowMultipleEncoding and AllowMixedEncoding are set to false by default is because if those characteristics are present then the string is likely an attack and you should not be trying to avoid the error unless you know what you're doing.

The secondary moral is, encode ALL untrusted data before outputing it to the screen. Canonicalize does not add security, it actually removes it, by removing any encoding that may exist. It is a helper function that is there to avoid unintentional double-encoding.

Thanks for correcting me.