[Esapi-user] [Esapi-dev] [OWASP-ESAPI] Vulnerability alerts ....

Jim Manico jim.manico at owasp.org
Tue Jan 26 17:01:11 EST 2010

 > Not to make this more complicated, but as of a few short months ago, 
1.4.0 was the most recent stable version of ESAPI.  jump ahead to today, 
and 1.4.3 was just recently released.

Yes, (I think that) as the project matures we will be releasing more 
often. "Release Early, Release Often!"

 > Is a point release like this going to have functionality or fixes?

Mostly just fixes. We have *added* new functionality that *helps* with 
integration (better configuration, mostly). But we are *not* changing 
any of the core interfaces in these point releases. I did add log4j 
support recently, but this is an "add on" that does not break backwards 

ESAPI 1.4.0 + 1.4.1 are honestly beta, at best. I do not recommend using 
either in a production environment. This is a controversial statement 
that is my opinion only. 1.4.2 is significantly more stable and 1.4.3 is 
mostly a fix to the unit test mechanism. At bare mininum, upgrade to 
ESAPI 1.4.2 now.

However, this does NOT apply to release candidates for the 2.0 branch. 
We have been and will continue to change the core of the ESAPI 2.0 
branch (trunk) until 2.0 is finalized (GA). Once 2.0 is at GA, I agree 
that we should not make core changes (ie: changes to the core interfaces).

Acceptable, Rob? Thoughts - anyone else?

- Jim

2010-01-26 06:41:05 HST  schallee at darkmist.net

     Since 1.4.3 is out, fix version to 1.4.4-SNAPSHOT...

2010-01-26 06:39:14 HST  schallee at darkmist.net

     Lots of little fixes for compiler warnings in eclipse in the 1.4
     branch. There are still a lot but now there are less...

2010-01-26 01:18:45 HST  manico.james

     1.4.3 final!

2010-01-24 11:07:43 HST  manico.james

     code comment clarification for order of property file loading

2010-01-23 21:52:42 HST  manico.james

      if .esapi folder not found or does not contain ESAPI.properties, 
look for a directory named 'resources' on the classpath

2010-01-21 08:31:11 HST  schallee at darkmist.net

     Unit test for previous commit.

2010-01-21 08:15:35 HST  schallee at darkmist.net

     Handle null from getResource when a resource is not found. Instead of a
     NPE being thrown, a FileNotFoundException is which is inline with the
     javadocs for the method that say a IOException is thrown "If the file
     cannot be found or opended for reading."

2010-01-21 08:13:23 HST  schallee at darkmist.net

     Change version from 1.4.2 to 1.4.3-SNAPSHOT so a stray mvn install
     doesn't mess up local repositories.

2010-01-18 03:58:31 HST  schallee at darkmist.net

     Add wrapped getDisableIntrusionDetection() and change to concrete
     instead of abstract so missing methods cause compilation errors with
     this instead of subclasses of it (not that direct instances of this
     class are very useful...).

2010-01-18 00:43:02 HST  manico.james

     1.4.2 final!

2010-01-18 00:36:40 HST  manico.james

     pom now titled 1.4.2

2010-01-17 19:58:51 HST  manico.james

     backported spaces in resource paths per 1.5 changes

2010-01-17 15:49:29 HST  manico.james

     cleanup of new intrusion disable code

2010-01-17 15:29:03 HST  manico.james

     properly defaulting intrusion detection disabling to false

2010-01-17 15:00:10 HST  manico.james

     Allows for complete disabling of the ESAPI intrusion detector. 
Reference implementation ESAPI.properties defaults intrusion detection 
to ON.

2010-01-17 14:41:54 HST  manico.james

     deprecating encrypt/decrypt functions due to weak crypto

2010-01-17 13:41:00 HST  manico.james

     undoing the 2.0->1.4 Encoder changes

2010-01-17 12:09:15 HST  manico.james

     backported the entire 1.5 encoder mechanism back to 1.4

2010-01-17 12:04:31 HST  schallee at darkmist.net

     Make patterns private static in SafeFile instead of one per instance.

     Remove some more characters from the tests so that it passes as is in
     windows. SafeFile needs work but now isn't the time for it.

2010-01-17 06:33:50 HST  schallee at darkmist.net

     Add commented sections of pom.xml and external-1.4-jdk.txt containing
     information on how to have Maven compile and run tests with an external
     1.4 JDK.

2010-01-16 16:53:23 HST  manico.james

     Removing System.out.printlns

2010-01-16 16:51:34 HST  manico.james

     Fix to filepath validation including relevant unit tests.

2010-01-16 15:42:47 HST  manico.james

     normalize removed from codebase completely

2010-01-16 09:19:16 HST  schallee at darkmist.net

     Use the "basedir" system property to find the src/test/resources 
     containing the config files for tests.

2010-01-16 08:15:42 HST  schallee at darkmist.net

     Change the CSS encoding in 1.4 to be like the version in 2.0. Update
     the EncoderTest to handle this change.

2010-01-16 00:43:55 HST  manico.james

backported to the 1.4 branch

2010-01-15 19:18:16 HST  schallee at darkmist.net

     Fixes for Encryptedproperties, DefaultEncryptedProperties and
     EncryptedPropertiesTest in 1.4. These will be migrated to 2.0 in my
     next commit.

     Modify DefaultEncrypedProperties#getProperty(String) to return null 
     the key does not exist. This is more inline with what users will expect
     as it is what java.util.Properties#getProperty(String) does. Previously
     this would throw a NullPointerException in Base64#decode(String) when
     it tried to decode null which was confusing at best.

     Modify javadoc for EncryptedProperties#getProperty(String) to define
     the expected behavior in the case of a non-existent key.

     Add EncryptedPropertiesTest#testNonExistantKey() to test the behavior
     of non-existent keys in isolation.

     Modify EncryptedPropertiesTest#testGetProperty() to not expect an
     Exception to be thrown in the case of a non-existant key.

     Modify EncrypedPropertiesTest#testKeySet() to not depend on the order
     of the keys in the key set.

     Combine EncrypedPropertiesTest#testStore()
     and EncryptedPropertiesTest#testLoad() into
     EncryptedProperties#testStoreLoad() as testLoad() depended on 
     running first which I'm not sure junit/surefire guarantees. Also modify
     to write to and read from a byte array input and output stream to avoid
     managing a temporary file.

     Remove EncryptedProperties#main(String[]) as it wasn't worth 
porting the
     above to it and mvn -Dtest=EncryptedPropertiesTest test is functionally
     equivalent to what was originally desired.

     I think that's all...

2010-01-15 17:47:48 HST  schallee at darkmist.net

     Change setCurrentHTTP to not attempt to wrap a null request or null

2010-01-15 11:34:55 HST  schallee at darkmist.net

     Lots of changes to rather broken tests in SafeFileTest. Tests that
     were testing java.io.File were modified to actually test SafeFile or
     removed. Further, printing of test results and not using junit was 

     As there haven't been major changes to SafeFile this change to
     SafeFileTest will be commited to the 2.0 branch as well.

2010-01-15 03:48:25 HST  schallee at darkmist.net

     Fix HTTPUtilitiesTest that was trying to use the resources directory
     which was null causing a NPE.

     This also adds some file test utilities for creating temporary 
     and recursively removing them. This may be worth forwarding to 2.0 at
     some point to help cleanup other file based unit tests there as well.

2010-01-15 03:45:08 HST  schallee at darkmist.net

     Fix unix test in a similar fashion to how it was fixed in the
     2.0 branch. This required the reimplemnentation/backport of
     SecurityConfigurationWrapper for 1.4 as well.

2010-01-15 03:42:05 HST  schallee at darkmist.net

     Fix unix test that expects /bin/sh to be a directory.

     Note that this was also previously fixed in the 2.0 branch.

2010-01-15 03:39:18 HST  schallee at darkmist.net

     Remove unneeded cast to DefaultSecurityConfiguration which also 
     other implementations of SecurityConfiguration from working.

     Note that this was previously fixed in the 2.0 branch.

2010-01-14 12:43:11 HST  manico.james

     validation doc cleanup

2010-01-13 14:58:20 HST  manico.james

     documentation cleanup for validation

2010-01-13 14:42:05 HST  manico.james

     documentation cleanup for validation

2009-12-13 18:12:09 HST  schallee at darkmist.net

         switch back to back slash self for printable ascii
         fix tests that got messed up by back ports and such
         normalize still fails but this is known (issue 74)
         double encoding fails and needs checking

2009-12-13 17:37:11 HST  schallee at darkmist.net

     HashTrieTest#testValues() was throwing a ClassCastException in the
     sort. It turns out Boolean is not Comparable in 1.4 but is in 1.5. This
     has been changed to Integer in the 1.4 branch.

2009-12-13 17:10:02 HST  schallee at darkmist.net

     Fix issue 15 by extending HttpServlet{Request,Response}Wrapper instead
     of just implementing HttpServlet{Request,Response}. As this change only
     changes this classes super class (no longer java.lang.Object) and the
     interfaces are the same this shouldn't cause existing code issues.

     This does fix the problem where containers expect to be able to unwrap
     their original request in the wrapped one.

2009-12-13 16:07:55 HST  schallee at darkmist.net

         fix issues with backslash self for hex digits (issue 77)
         split out tests from CodecTest
         add tests to verify lack of regression for issue 77
         change to not encode alphanumerics
         fix theta/thetasym issues with decoding by backporting 2.0 fix
             (issue 45)
         fix corner case which would throw a IndexOutOfBoundsException 
(issue 78)
         changed massive if (a) ret, if(b) ret, to switch statement
         back port percent codec fixes for issue 75
         back ported to 1.4
         modify some tests to work with 1.4 as 1.4 encodes somethings 

     I think that's all...

2009-12-08 12:28:03 HST  schallee at darkmist.net

     Big nasty patch to back port the XMLEntityCodec to 1.4. This includes
     most of the functionality needed for the HTMLCodec fix which is 
next. This
     includes codec.HashTrieTest, util.NullSafe and util.CollectionsUtil.

     Two new classes have been added:


     This is a base abstract codec.Codec implementation to
     ease porting. In 1.4 Codec is a interface and in 2.0 it is a abstract
     class. Ports back to 1.4 ca use AbstractCodec as their base instead.


     This is a simple class to wrap primitives in their java.lang 
classes. This
     is here to help back porting of auto boxing code from the 2.0 
branch. By
     using this instead of new Character(), etc we can easily implement our
     own fly weight caching of these objects as 1.5 does in it's auto boxing
     if and when the overhead incurred in creating new objects each time
     becomes a issue.

2009-12-08 12:11:30 HST  schallee at darkmist.net

     Remove use of sun proprietary normalize method. This breaks this 
     functionality which I do not like. However, this is what has been done
     in the 2.0 branch. There is code commented out in the 2.0 branch to use
     the new java.text.Normalize however that is only available in 1.6. To
     make matters worse, the interface to the sun proprietary version has
     changed and, as is, this will not compile with latter jdks (at least
     1.6). I am adding a issue to document and remind us about this.

2009-12-07 12:53:53 HST  schallee at darkmist.net

     Change version of Junit library to 3.8.1 instead of 4.4. ESAPI 1.4 is
     targeted at Java 1.4 and Junit 4 requires Java 1.5 (aka 5.0). This 
     allows tests to build with a Java 1.4 compiler.

2009-12-07 12:50:29 HST  schallee at darkmist.net

     Backport current JSP tag libraries from 2.0rcs to 1.4.1rcs

     No changes were needed.

2009-12-06 01:04:48 HST  schallee at darkmist.net

     ignore and delete target directory

2009-12-04 19:26:17 HST  manico.james


2009-12-04 19:25:28 HST  manico.james

     fix to ESAPI log4j configuration

2009-12-04 19:24:27 HST  manico.james

     allowing configuration of Log4J logger in properties file

2009-12-04 19:21:07 HST  manico.james

     setting perm ignore on target folder

2009-12-04 19:17:21 HST  manico.james

     Log4J logger in the 1.4 style of logging is now compiling correctly

2009-12-04 18:55:53 HST  manico.james

     fixing settings for forbidden apis (now just warn; normalize)

2009-12-04 18:48:00 HST  manico.james

     more cleanup....

2009-12-04 18:02:33 HST  manico.james

     fixed issues with Logging

2009-12-04 17:47:59 HST  manico.james

     significant fixes to pom.xml

2009-12-04 17:40:19 HST  manico.james

     more reorg of code for maven

2009-12-04 17:38:02 HST  manico.james

     target should not be checked in, sorry (x3)

2009-12-04 17:37:38 HST  manico.james

     more reorg of code for maven

2009-12-04 17:29:05 HST  manico.james

     target should not be checked in, sorry (x2)

2009-12-04 17:28:33 HST  manico.james

     moving code to proper directories

2009-12-04 17:24:46 HST  manico.james

     target should not be checked in, sorry

2009-12-04 17:21:44 HST  manico.james

     fixing pom...

2009-12-04 17:03:37 HST  manico.james

     pom cleanup

2009-12-04 16:49:19 HST  manico.james

     removed sealing code so building working for now.

2009-12-04 16:39:53 HST  manico.james

     Maven integration working

2009-12-04 16:36:21 HST  manico.james

     updating maven

2009-12-04 16:22:55 HST  manico.james

     backwards compatible fix.

2009-12-04 16:02:34 HST  manico.james

     upgrade to latest Eclipse

2009-12-04 16:02:19 HST  manico.james

     Fix to OracleCodec, small formatting change to MySQLCodec

More information about the Esapi-user mailing list