Menu
▾
▴
Re: [Ejbca-develop] Recommended change to EJBCA 4.0.11 source
|
From: Tomas G. <to...@pr...> - 2012-08-17 05:40:57
|
Thanks for the info Nick, I created https://jira.primekey.se/browse/ECA-2737 Cheers, Tomas On 08/16/2012 09:16 PM, MacDonald, Nick (Nick) wrote: > Hello: > > I am in the process of reviewing old changes to the EJBCA source base > that were made by a team of developers no longer at the company. In > tracking down a change I came across one thing that I think is > applicable to the current 4.0.11 source base. > > In the file: ejbca_4_0_11\src\java\org\ejbca\core\model\ > InternalResources.java I see the current code: > > private String getLocalizedMessage(final String key, final Object[] > params, final int numOfParams) { > > […] > > try { > > localizedString = localizedString.replaceAll("\\{" + i > + "\\}", param); > > } catch (IllegalArgumentException e) { > > // If "param" contains some specific things, regexp may > fail > > // under some circumstances > > try { > > localizedString = localizedString.replaceAll("\\{" > + i + "\\}", e.getMessage()); > > } catch (IllegalArgumentException e1) { > > localizedString = localizedString.replaceAll("\\{" > + i + "\\}", "IllegalArgumentException"); > > } > > } > > } > > // Remove all remaining {} if any > > localizedString = localizedString.replaceAll("\\{\\d\\}", ""); > > return localizedString; > > } > > It looks like someone tried to work around a “bug” they encountered and > added protective code to the replaceAll. > > I believe the correct fix to be thus: > > localizedString = > localizedString.replaceAll("\\{" + i + "\\}", > Matcher.quoteReplacement(param)); > > With the call to Matcher.quoteReplacement() there will be no characters > that should cause any exceptions, and the protective code will not be > necessary. > > This is a very common problem for users of regular expressions in Java, > and it’s advisable that someone search your code base for calls to such > functions replaceAll() being one such method but there are others, such > as replaceFirst(). There are quoting functions for the first parameter > as well as for the last parameter, but they are unfortunately not the > same. For the first parameter you would use: Pattern.quote() > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
