[Esapi-dev] Help regarding issue 251

Jim Manico jim.manico at owasp.org
Thu Oct 2 21:26:32 UTC 2014


Well it sure is a significant bug. So how to fix?

So what if you first take the string and parse it to a Date, and then
take the same Date and format it back to a String? Assuming the format
does not include the erroneous characters, you might be able to fail
on validation if the original and formatted Date string do not match.

This is how I'd first take it on.

Maybe look for an Apache date class that is more strict?

Thanks for looking at this.

--
Jim Manico
@Manicode
(808) 652-3805

> On Oct 2, 2014, at 1:07 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
> You do not stop injection at the input validation layer, I do not
> think this is a good bug.
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
>> On Oct 2, 2014, at 10:53 AM, Nalin Goel <naling1994 at gmail.com> wrote:
>>
>> Hi guys,
>>
>> I am new to open-source and would like to work with owasp-esapi.
>>
>> I did some research on issue 251(IsValidDate not recognizing inection attacks) and would appreciate guidance as well as feedback as to what our inputs might be.
>>
>> Any help on getting me started is appreciated .
>> _______________________________________________
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-dev


More information about the Esapi-dev mailing list