Menu
▾
▴
[Ejbca-develop] Recommended change to EJBCA 4.0.11 source
|
From: MacDonald, N. (Nick) <nma...@av...> - 2012-08-16 19:16:15
|
Hello:
I am in the process of reviewing old changes to the EJBCA source base that were made by a team of developers no longer at the company. In tracking down a change I came across one thing that I think is applicable to the current 4.0.11 source base.
In the file: ejbca_4_0_11\src\java\org\ejbca\core\model\ InternalResources.java I see the current code:
private String getLocalizedMessage(final String key, final Object[] params, final int numOfParams) {
[...]
try {
localizedString = localizedString.replaceAll("\\{" + i + "\\}", param);
} catch (IllegalArgumentException e) {
// If "param" contains some specific things, regexp may fail
// under some circumstances
try {
localizedString = localizedString.replaceAll("\\{" + i + "\\}", e.getMessage());
} catch (IllegalArgumentException e1) {
localizedString = localizedString.replaceAll("\\{" + i + "\\}", "IllegalArgumentException");
}
}
}
// Remove all remaining {} if any
localizedString = localizedString.replaceAll("\\{\\d\\}", "");
return localizedString;
}
It looks like someone tried to work around a "bug" they encountered and added protective code to the replaceAll.
I believe the correct fix to be thus:
localizedString = localizedString.replaceAll("\\{" + i + "\\}", Matcher.quoteReplacement(param));
With the call to Matcher.quoteReplacement() there will be no characters that should cause any exceptions, and the protective code will not be necessary.
This is a very common problem for users of regular expressions in Java, and it's advisable that someone search your code base for calls to such functions replaceAll() being one such method but there are others, such as replaceFirst(). There are quoting functions for the first parameter as well as for the last parameter, but they are unfortunately not the same. For the first parameter you would use: Pattern.quote()
|
