[Webappsec] Using POSIX regular expressions with Struts

Rohit Lists rklists at gmail.com
Sat Nov 8 11:59:34 EST 2008


Ok, my previous msg was based on Struts 1.1. Looking at the Struts
documentation for Validator for 1.3.8 it looks like the "mask"
validator uses the org.apache.regexp.RE class:
http://jakarta.apache.org/regexp/apidocs/org/apache/regexp/RE.html
http://struts.apache.org/1.3.8/faqs/validator.html

So in fact it DOES allow for POSIX style Character classes, but not
[:ascii:] as you've suggested. You could use \w (i.e. alphanumeric and
dash) plus the specific special characters you want to support.

This is probably of interest for people using Struts for apps with
internationalization support since they can use  the POSIX [:alnum:]
for multilingual alpha-numeric regex expressions.


On Sat, Nov 8, 2008 at 9:39 AM, Rohit Lists <rklists at gmail.com> wrote:
> Matt, after a quick look through Google Code it looks like Struts
> validation attempts to emulate common Perl 5 regular expressions. The
> org.apache.oro.text.perl.Perl5Util class appears to be the actual
> implementation of regular expression checking. I can't seem to find
> any reference to POSIX style regular expressions in the class:
> http://www.google.com/codesearch?hl=en&q=file:(/%7C%5E)org/apache/oro/text/perl/Perl5Util%5C.java%24+show:1XyDK-ER_hY:iItTrPwx7p8:1XyDK-ER_hY&sa=N&cd=1&ct=rc&cs_p=http://svn.apache.org/repos/asf/jakarta/oro/&cs_f=trunk/src/java/org/apache/oro/text/perl/Perl5Util.java
> but it might be worth investigating further. It's also possible that
> your particular version of Struts uses a different regex
> implementation (although I doubt it, unless it's Struts 2.x).
>
> My recommendation would be to use Servlet filters for this purpose
> since each form field will be transmitted as parameter from the
> client. Remember that Struts validator only validates form field
> values - it does not validate other sources of input like invalid
> URLs, parameter names, cookie values, or other HTTP headers - so it
> may be a good idea to implement another method of input validation
> (such as Servlet filters) anyway.
>
> Another option would be to implement a Custom Validator that uses the
> Java Regular Expression library which does support POSIX expressions.
>
>
> On Wed, Nov 5, 2008 at 9:38 AM, Matthew Presson
> <matthew.presson at gmail.com> wrote:
>> Jim,
>> This has nothing to do with Internationalization, and thanks for the
>> comments on my blog.
>>
>> What I was trying to accomplish is to prevent the submission of double-byte
>> characters in a form field, only allowing a-zA-Z0-9 and the special
>> characters. Well the regex required for that, when used in the Struts
>> validation.xml, is:
>> ^[a-zA-Z0-9`~!@#$%\^\*\(\)\-_\+=\[\{\}\]\|\\;:'",\./\?\s&lt;&gt;&amp;]*$. If
>> you will notice I have to encode the <, >, and & to get it to work right. I
>> don't know why, but such is life.
>>
>> Now it would be a lot easier (simpler) regex if I could do this: ^\p{ASCII}$
>> which is the POSIX style regular expression which Java natively supports,
>> although absolutely does not work in Struts 1.3.8. Thus, the reason for this
>> proposed question.
>>
>>
>> Thanks all,
>> Matt
>>
>>
>>
>> On Tue, Nov 4, 2008 at 9:03 PM, Jim Manico <jim at manico.net> wrote:
>>>
>>> Matthew,
>>>
>>> What is stopping you from accomplishing internationalization with standard
>>> regular expressions? I remember your blog post on this topic - but is the
>>> issue struts, regular expressions in general, or perhaps the text editor
>>> that is being used?
>>>
>>> What great seeing you and your team while I was in town. Give Josh and co/
>>> my best.
>>>
>>> Aloha from Florida,
>>> - Jim
>>>
>>> This may be too pinpointed for this mailing list, but has anyone every had
>>> any success using POSIX style regular expressions in conjunction with the
>>> Struts 1.x framework? Specifically, have you ever been able to use these
>>> style expressions with the Struts Validator?
>>>
>>> Thanks,
>>> Matt Presson
>>>
>>> ________________________________
>>> _______________________________________________
>>> Webappsec mailing list
>>> Webappsec at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/webappsec
>>>
>>
>>
>>
>> --
>> Matt Presson, CISSP
>>
>> _______________________________________________
>> Webappsec mailing list
>> Webappsec at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/webappsec
>>
>>
>
>
>
> --
> Rohit Sethi
> Security Compass
> http://www.securitycompass.com
>



-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com


More information about the Webappsec mailing list