[Esapi-user] Help Regarding ESAPI
Kevin W. Wall
kevin.w.wall at gmail.com
Tue Jun 14 08:23:28 EDT 2011
On Tue, Jun 14, 2011 at 6:03 AM, ashish kumar gautam <
gautamashishkumar at gmail.com> wrote:
> Dear Sir
> I am using ESAPI for validating file name, file size and file content.
> I am able to validate the file name and size
> I am not able to validate file content.
> isValidFileContent() method does not validate a content of the file, it
> validates the size of a file. Whereas i want to validate the content of
> file i.e. I want to fix the content of the file.
When you write that you want to "validate the *content *of a file", what
exactly do you mean?
Do you mean something like being able to distinguish (say) a text file from
a Java jar from
an a.out executable from a Microsoft Word document and to also make this
by the actual bytes representing the file (versus the naive attempt of
judgement based on a file suffix)? If so, isValidFileContent() is definitely
to do anything like that and IIRC, ESAPI doesn't have anything that goes
To do an analysis that goes beyond file suffix would require implementing
like *nix's file(1) command and it's associated magic(5) file. And while I
how each of these might be useful (for instance, you may want to ensure that
can only upload certain image formats), even the techniques used by file and
are not fool-proof. In particular, these things were never meant to be file
checkers that could be used in a security context as an adversary can
ways around them.
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user