Issue
Using the below code in my application for generating an excel file as a attachment to the API Response header.
App Code:
ESAPI.httpUtilities().setHeader(response,"Content-Disposition", "attachment;filename=" + fileName + "");
After changing to ESAPI 2.2.3.1 and excluding log4J due to the vulnerability issues and added the below lines in ESAPI.Properties
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory Logger.UserInfo=false Logger.ClientInfo=false
i'm getting below error in my app. I have the same ESAPI.properties with ESAPI version 2.0.1 which is working fine for the above app code.
Error Message:
org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: SecurityConfiguration for HttpUtilities.MaxHeaderNameSize has incorrect type] with root cause
org.owasp.esapi.errors.ConfigurationException: SecurityConfiguration for HttpUtilities.MaxHeaderNameSize has incorrect type
at org.owasp.esapi.reference.DefaultSecurityConfiguration.getIntProp(DefaultSecurityConfiguration.java:1265)
at org.owasp.esapi.reference.DefaultHTTPUtilities.setHeader(DefaultHTTPUtilities.java:890)
at com.caremore.togetherness.controller.ExportDataController.getMemberReferralData(ExportDataController.java:93)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
Solution
I think you have missed a property in your esapi.properties file in your project which is required in the latest dependency of org.owasp.esapi 2.2.3.1 library/jar Once you update the esapi.properties file to include the missing entry
HttpUtilities.MaxHeaderNameSize=256
Which I have noticed in this link. It might workout as expected.
Answered By - srikanth
Answer Checked By - Terry (JavaFixing Volunteer)