[Esapi-dev] Help regarding issue 251

August Detlefsen augustd at codemagi.com
Fri Oct 3 02:47:08 UTC 2014


Noooo... There should never be any reason for an end user to submit SQL
directly to your application.
On Oct 2, 2014 7:39 PM, "Nalin Goel" <naling1994 at gmail.com> wrote:

> Thanks August,
>
> But I think their can be some legitimate SQL statements along with the
> date.If we neglect anything but the date wont that affect the functionality
> of the user's site.
>
> Correct me if I am wrong.
>
> On Fri, Oct 3, 2014 at 3:39 AM, August Detlefsen <augustd at codemagi.com>
> wrote:
>
>> Developers might see that isValidDate() returns true and then take the
>> original string input and use that in subsequent operations instead of an
>> actual Date object. isValidDate() needs to be fixed to return false if the
>> date includes extra characters, regardless of what SimpleDateFormat does.
>>
>> Attached is a proposed patch.
>>
>> -August
>>
>> On Thu, Oct 2, 2014 at 2:26 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> Well it sure is a significant bug. So how to fix?
>>>
>>> So what if you first take the string and parse it to a Date, and then
>>> take the same Date and format it back to a String? Assuming the format
>>> does not include the erroneous characters, you might be able to fail
>>> on validation if the original and formatted Date string do not match.
>>>
>>> This is how I'd first take it on.
>>>
>>> Maybe look for an Apache date class that is more strict?
>>>
>>> Thanks for looking at this.
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>> > On Oct 2, 2014, at 1:07 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>> >
>>> > You do not stop injection at the input validation layer, I do not
>>> > think this is a good bug.
>>> >
>>> > --
>>> > Jim Manico
>>> > @Manicode
>>> > (808) 652-3805
>>> >
>>> >> On Oct 2, 2014, at 10:53 AM, Nalin Goel <naling1994 at gmail.com> wrote:
>>> >>
>>> >> Hi guys,
>>> >>
>>> >> I am new to open-source and would like to work with owasp-esapi.
>>> >>
>>> >> I did some research on issue 251(IsValidDate not recognizing inection
>>> attacks) and would appreciate guidance as well as feedback as to what our
>>> inputs might be.
>>> >>
>>> >> Any help on getting me started is appreciated .
>>> >> _______________________________________________
>>> >> Esapi-dev mailing list
>>> >> Esapi-dev at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>> _______________________________________________
>>> Esapi-dev mailing list
>>> Esapi-dev at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-dev/attachments/20141002/34b39fd3/attachment.html>


More information about the Esapi-dev mailing list