[Esapi-dev] HTTPParameterValue

Michael Coates michael.coates at owasp.org
Tue Sep 28 18:06:40 EDT 2010


 3 agrees and 1 comment :)

On 9/28/10 3:01 PM, Jeff Williams wrote:
> I strongly encourage organizations to use a reasonably limited whitelist here. 
Agree.
> Just because the spec allows it does not mean that you have to allow it in your 
> application. 
Agree.
> Do you really need tilde and backtick? 
I think the reason Jim brought this up is because the default regex is
killing a lot of normal use cases. So we need to decide where our
threshold of pain is for this filter. In reality, this should just be an
initial check. We shouldn't have an organization use this one check as
their only input validation check throughout the whole app. They can get
much more specific depending upon the input and the specific spot within
the application.  If we agree on that view then the question is how much
do we lock down the default?  We tried stripping away the @ and that
broke email addresses.  We could pull out the tilde and backtick
instead. What about the carrot? 

Perhaps this is what Jim was getting at originally, where is that sweet
spot of breakage verse course grained input validation that we want to
be in?
> You may want to try a regex 
> that allows printable international characters.
Agree.
> --Jeff
>
> *From:* esapi-dev-bounces at lists.owasp.org 
> [mailto:esapi-dev-bounces at lists.owasp.org] *On Behalf Of *Michael Coates
> *Sent:* Tuesday, September 28, 2010 5:47 PM
> *To:* Jim Manico
> *Cc:* 'ESAPI-Developers'
> *Subject:* Re: [Esapi-dev] HTTPParameterValue
>
> Allow %20-%7E (the actual values of course, not the hex representation). This 
> will eliminate the non-printable characters like null and line breaks (%0A, %0C) 
> and allow most everything else. One note, I'm not sure if this will work well 
> for international character sets.
>
> As Jim points out, this should be a course grain filter. Any real filtering is 
> contextual within the app.
>
>
>
> Michael Coates
>
> OWASP
>
>
> On 9/28/10 2:39 PM, Jim Manico wrote:
>
> We currently use the following regular expression to validate HTTPParameterValue
>
> in the wrapper filters.
>
>   
>
> *Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$*
>
>   
>
> This is turning out to be horribly restrictive (for example, even email
>
> addresses in input data get rejected).
>
>   
>
> We need some pretty detailed analysis on this regex to get it right.
>
>   
>
> Keep in mind, this is not to be used for contextual validation (real app
>
> validation). This is just a sanity filter to make sure your inputs abide by the
>
> HTTP Standard.
>
>   
>
> Thoughts?
>
>   
>
> - Jim
>
>   
>
>   
>
>   
>
> _______________________________________________
>
> Esapi-dev mailing list
>
> Esapi-dev at lists.owasp.org  <mailto:Esapi-dev at lists.owasp.org>
>
> https://lists.owasp.org/mailman/listinfo/esapi-dev


More information about the Esapi-dev mailing list