[Hibernate-JIRA] Created: (HHH-6882) add API to AbstractCollectionEvent for accessing CollectionPersister
by Krasimir Chobantonov (JIRA)
add API to AbstractCollectionEvent for accessing CollectionPersister
--------------------------------------------------------------------
Key: HHH-6882
URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-6882
Project: Hibernate Core
Issue Type: Improvement
Environment: any
Reporter: Krasimir Chobantonov
When collection events are fired by Hibernate and the collection is not initialized because it was not PersistenceCollection or it was null then the listener will get the event but there is no way to tell which property of the entity is being changed. Because the collection is null then we can't get the collection persister using the session. The collection role is also not stored anywhere in the event. For listeners that performs audit/security and etc. this information is needed even when the target persistence collection was not loaded.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 6 months
[Hibernate-JIRA] Created: (HV-473) Add option to Canonicalize String Input
by Chris Schmidt (JIRA)
Add option to Canonicalize String Input
---------------------------------------
Key: HV-473
URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-473
Project: Hibernate Validator
Issue Type: Improvement
Components: engine
Environment: n/a
Reporter: Chris Schmidt
Add the ability to enable canonicalization (normalization) of Strings prior to validation processing. By default this behavior should be enabled.
Canonicalization is imperative in validation logic, without it - it is possible to bypass many validation contraints (string based) to perform things like encoding attacks (XSS, SQLi) and Path traversal attacks (RFI, LFI).
This canonicalization should be configurable to allow Multiple or Mixed encoding in a string (with a default to fail validation if either condition is true) through the use of annotation:
@Canonicalize(allowMixed=true, allowMultiple=true)
@Pattern(regexp=".*")
private String someString;
This is necessary, especially when using validation on machine generated values (webservices, etc.) to allow a string to be canonicalized to it's base form even if there are multiple or mixed encodings in the string. However, this is not behavior that a normal application user would display - hence the approach of disallowing a string of this type by default.
Please reference the OWASP ESAPI for an example of how to implement:
http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/ja...
For additional information on the importance of canonicalization in validation see:
https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode
Feel free to use the ESAPI Library or any of it's code to help Hibernate-Validator be more secure and complete!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 6 months
[Hibernate-JIRA] Updated: (HHH-1123) Cannot put more than 1000 elements in a InExpression
by Steve Ebersole (JIRA)
[ http://opensource.atlassian.com/projects/hibernate/browse/HHH-1123?page=c... ]
Steve Ebersole updated HHH-1123:
--------------------------------
Pull Requests: (was: https://github.com/hibernate/hibernate-core/pull/234)
> Cannot put more than 1000 elements in a InExpression
> ----------------------------------------------------
>
> Key: HHH-1123
> URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-1123
> Project: Hibernate Core
> Issue Type: Improvement
> Components: core
> Affects Versions: 3.1 rc2, 3.2.0.alpha1
> Environment: Oracle 9i
> Reporter: Alexis Seigneurin
> Attachments: Animal.hbm.xml, hibernate-inexpression-oracle-3.2.patch, HQLHelper.java, LongInElementsTest.java, patch.txt
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The number of elements that we can put in a "in" expression is limited to a certain amount (1000 for Oracle, for instance). When creating a criteria query, the org.hibernate.criterion.InExpression class should split the expression into several smaller ones.
> Attached is a patch which splits the expression by slices of 500 elements. For example, if we have 1001 elements to put in the "in" expression, the result would be :
> (entity.field in (?, ?, ?...) or entity.field in (?, ?, ?...) or entity.field in (?))
> The surrounding parantheses are useful to avoid problems with other conditions (a "and" condition taking over the one of the "or" conditions).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
12 years, 6 months