[Esapi-dev] Help regarding issue 251

Fabio Cerullo fcerullo at owasp.org
Fri Oct 3 12:44:37 UTC 2014


August,

Thanks for looking into this. Are you willing to push the patch to the repo?

Nalin,

It seems that bug has been remediated. Would you be interested in looking
at others?

Regards
Fabio

On Fri, Oct 3, 2014 at 12:55 PM, Jeff Williams <
jeff.williams at aspectsecurity.com> wrote:

>  This seems right to me.  Thanks!
>
> --Jeff
>
>
>
>
> On Oct 2, 2014, at 6:23 PM, August Detlefsen <augustd at codemagi.com> wrote:
>
>   Better yet would be to use the two-argument version of
> DateFormat.parse() and pass in a ParsePosition Object. When parse()
> returns, you check that the index of the ParsePosition is actually the end
> of the input String. If it is not, then isValidDate() returns false.
>
> This should be faster than parsing, formatting the resulting Date, and
> comparing them.
>
>  -August
>
> On Thu, Oct 2, 2014 at 3:09 PM, August Detlefsen <augustd at codemagi.com>
> wrote:
>
>> Developers might see that isValidDate() returns true and then take the
>> original string input and use that in subsequent operations instead of an
>> actual Date object. isValidDate() needs to be fixed to return false if the
>> date includes extra characters, regardless of what SimpleDateFormat does.
>>
>>  Attached is a proposed patch.
>>
>>  -August
>>
>> On Thu, Oct 2, 2014 at 2:26 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> Well it sure is a significant bug. So how to fix?
>>>
>>> So what if you first take the string and parse it to a Date, and then
>>> take the same Date and format it back to a String? Assuming the format
>>> does not include the erroneous characters, you might be able to fail
>>> on validation if the original and formatted Date string do not match.
>>>
>>> This is how I'd first take it on.
>>>
>>> Maybe look for an Apache date class that is more strict?
>>>
>>> Thanks for looking at this.
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>>  > On Oct 2, 2014, at 1:07 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>> >
>>> > You do not stop injection at the input validation layer, I do not
>>> > think this is a good bug.
>>> >
>>> > --
>>> > Jim Manico
>>> > @Manicode
>>> > (808) 652-3805
>>> >
>>> >> On Oct 2, 2014, at 10:53 AM, Nalin Goel <naling1994 at gmail.com> wrote:
>>> >>
>>> >> Hi guys,
>>> >>
>>> >> I am new to open-source and would like to work with owasp-esapi.
>>> >>
>>> >> I did some research on issue 251(IsValidDate not recognizing inection
>>> attacks) and would appreciate guidance as well as feedback as to what our
>>> inputs might be.
>>> >>
>>> >> Any help on getting me started is appreciated .
>>> >> _______________________________________________
>>> >> Esapi-dev mailing list
>>> >> Esapi-dev at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>> _______________________________________________
>>> Esapi-dev mailing list
>>> Esapi-dev at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>
>>
>>
>   _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-dev/attachments/20141003/e8983e1f/attachment.html>


More information about the Esapi-dev mailing list