ESAPI.properties file not being built / deployed as part of production downloads

Description

From kevin.w.wall@gmail.com on October 22, 2013 13:04:40

The 'configuration/esapi/ESAPI.properties' file and all other files under the 'configuration/esapi' directory are missing from the ESAPI production builds. (E.g., it is missing from the 2.1.0 release.)

This is causing some to use the ESAPI.properties file found in 'src/test/resources/esapi/ESAPI.properties' which has some (intentionally) insecure additional property values (e.g., Encryptor.cipher_modes.additional_allowed=CBC,ECB – ECB mode is normally not there). It also increases the likelihood that developers are using the test versions of Encryptor.MasterKey and Encryptor.MasterSalt property values.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=309

Environment

None

Status

Assignee

Unassigned

Reporter

Max Gelman

Priority

Configure