diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index d99d188b5d5..be02f5e48f5 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -326,6 +326,12 @@ public class ApiServer implements HttpRequestHandler {
continue;
}
String[] value = (String[]) params.get(key);
+ // fail if parameter value contains ASCII control (non-printable) characters
+ String newValue = StringUtils.stripControlCharacters(value[0]);
+ if ( !newValue.equals(value[0]) ) {
+ throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Received value " + value[0] + " for parameter "
+ + key + " is invalid, contains illegal ASCII non-printable characters");
+ }
paramMap.put(key, value[0]);
}
diff --git a/utils/pom.xml b/utils/pom.xml
index 937fad35c0f..e4fd2b0f7e6 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -157,6 +157,11 @@
reflections
${cs.reflections.version}
+
+ org.owasp.esapi
+ esapi
+ 2.0.1
+
install
diff --git a/utils/src/com/cloud/utils/StringUtils.java b/utils/src/com/cloud/utils/StringUtils.java
index 8f0a503abef..14ff4b1ae94 100644
--- a/utils/src/com/cloud/utils/StringUtils.java
+++ b/utils/src/com/cloud/utils/StringUtils.java
@@ -23,6 +23,8 @@ import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
+import org.owasp.esapi.StringUtilities;
+
// StringUtils exists in Apache Commons Lang, but rather than import the entire JAR to our system, for now
// just implement the method needed
public class StringUtils {
@@ -150,6 +152,9 @@ public class StringUtils {
return cleanResult;
}
+ public static String stripControlCharacters(String s) {
+ return StringUtilities.stripControls(s);
+ }
public static int formatForOutput(String text, int start, int columns, char separator) {
if (start >= text.length()) {