[Esapi-user] [Esapi-dev] [OWASP-ESAPI] Vulnerability alerts ....

Jim Manico jim.manico at owasp.org
Wed Jan 27 17:12:19 EST 2010


 > What is the goal/philosopsy of these point releases?

http://en.wikipedia.org/wiki/Release_early,_release_often

> I'm still a little bit concerned of the frequency of the 1.4 series 
> releases as of late.  GIven Bernie's other thread re: a mailing list 
> for vulerability patches, I don't want to consume 1.4.3 and then have 
> to retest everything when 1.4.4 comes out in order to remian PA-DSS 
> compliant.  What is the goal/philosopsy of these point releases?
>
> On Tue, Jan 26, 2010 at 5:01 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     > Not to make this more complicated, but as of a few short months
>     ago, 1.4.0 was the most recent stable version of ESAPI.  jump
>     ahead to today, and 1.4.3 was just recently released.
>
>     Yes, (I think that) as the project matures we will be releasing
>     more often. "Release Early, Release Often!"
>
>
>     > Is a point release like this going to have functionality or fixes?
>
>     Mostly just fixes. We have *added* new functionality that *helps*
>     with integration (better configuration, mostly). But we are *not*
>     changing any of the core interfaces in these point releases. I did
>     add log4j support recently, but this is an "add on" that does not
>     break backwards compatibility.
>
>     ESAPI 1.4.0 + 1.4.1 are honestly beta, at best. I do not recommend
>     using either in a production environment. This is a controversial
>     statement that is my opinion only. 1.4.2 is significantly more
>     stable and 1.4.3 is mostly a fix to the unit test mechanism. At
>     bare mininum, upgrade to ESAPI 1.4.2 now.
>
>     However, this does NOT apply to release candidates for the 2.0
>     branch. We have been and will continue to change the core of the
>     ESAPI 2.0 branch (trunk) until 2.0 is finalized (GA). Once 2.0 is
>     at GA, I agree that we should not make core changes (ie: changes
>     to the core interfaces).
>
>     Acceptable, Rob? Thoughts - anyone else?
>
>     - Jim
>
>
>     2010-01-26 06:41:05 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Since 1.4.3 is out, fix version to 1.4.4-SNAPSHOT...
>
>
>     2010-01-26 06:39:14 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Lots of little fixes for compiler warnings in eclipse in the 1.4
>        branch. There are still a lot but now there are less...
>
>
>     2010-01-26 01:18:45 HST  manico.james
>
>        1.4.3 final!
>
>     2010-01-24 11:07:43 HST  manico.james
>
>        code comment clarification for order of property file loading
>
>     2010-01-23 21:52:42 HST  manico.james
>
>         if .esapi folder not found or does not contain
>     ESAPI.properties, look for a directory named 'resources' on the
>     classpath
>
>     2010-01-21 08:31:11 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Unit test for previous commit.
>
>
>     2010-01-21 08:15:35 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Handle null from getResource when a resource is not found.
>     Instead of a
>        NPE being thrown, a FileNotFoundException is which is inline
>     with the
>        javadocs for the method that say a IOException is thrown "If
>     the file
>        cannot be found or opended for reading."
>
>
>     2010-01-21 08:13:23 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Change version from 1.4.2 to 1.4.3-SNAPSHOT so a stray mvn install
>        doesn't mess up local repositories.
>
>
>     2010-01-18 03:58:31 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Add wrapped getDisableIntrusionDetection() and change to concrete
>        instead of abstract so missing methods cause compilation errors
>     with
>        this instead of subclasses of it (not that direct instances of this
>        class are very useful...).
>
>
>     2010-01-18 00:43:02 HST  manico.james
>
>        1.4.2 final!
>
>     2010-01-18 00:36:40 HST  manico.james
>
>        pom now titled 1.4.2
>
>     2010-01-17 19:58:51 HST  manico.james
>
>        backported spaces in resource paths per 1.5 changes
>
>     2010-01-17 15:49:29 HST  manico.james
>
>        cleanup of new intrusion disable code
>
>     2010-01-17 15:29:03 HST  manico.james
>
>        properly defaulting intrusion detection disabling to false
>
>     2010-01-17 15:00:10 HST  manico.james
>
>        Allows for complete disabling of the ESAPI intrusion detector.
>     Reference implementation ESAPI.properties defaults intrusion
>     detection to ON.
>
>     2010-01-17 14:41:54 HST  manico.james
>
>        deprecating encrypt/decrypt functions due to weak crypto
>
>     2010-01-17 13:41:00 HST  manico.james
>
>        undoing the 2.0->1.4 Encoder changes
>
>     2010-01-17 12:09:15 HST  manico.james
>
>        backported the entire 1.5 encoder mechanism back to 1.4
>
>     2010-01-17 12:04:31 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Make patterns private static in SafeFile instead of one per
>     instance.
>
>        Remove some more characters from the tests so that it passes as
>     is in
>        windows. SafeFile needs work but now isn't the time for it.
>
>
>
>     2010-01-17 06:33:50 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Add commented sections of pom.xml and external-1.4-jdk.txt
>     containing
>        information on how to have Maven compile and run tests with an
>     external
>        1.4 JDK.
>
>
>
>     2010-01-16 16:53:23 HST  manico.james
>
>        Removing System.out.printlns
>
>     2010-01-16 16:51:34 HST  manico.james
>
>        Fix to filepath validation including relevant unit tests.
>
>     2010-01-16 15:42:47 HST  manico.james
>
>        normalize removed from codebase completely
>
>     2010-01-16 09:19:16 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Use the "basedir" system property to find the
>     src/test/resources directory
>        containing the config files for tests.
>
>
>     2010-01-16 08:15:42 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Change the CSS encoding in 1.4 to be like the version in 2.0.
>     Update
>        the EncoderTest to handle this change.
>
>
>     2010-01-16 00:43:55 HST  manico.james
>
>     http://code.google.com/p/owasp-esapi-java/issues/detail?id=90
>     backported to the 1.4 branch
>
>     2010-01-15 19:18:16 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Fixes for Encryptedproperties, DefaultEncryptedProperties and
>        EncryptedPropertiesTest in 1.4. These will be migrated to 2.0 in my
>        next commit.
>
>        Modify DefaultEncrypedProperties#getProperty(String) to return
>     null when
>        the key does not exist. This is more inline with what users
>     will expect
>        as it is what java.util.Properties#getProperty(String) does.
>     Previously
>        this would throw a NullPointerException in
>     Base64#decode(String) when
>        it tried to decode null which was confusing at best.
>
>        Modify javadoc for EncryptedProperties#getProperty(String) to
>     define
>        the expected behavior in the case of a non-existent key.
>
>        Add EncryptedPropertiesTest#testNonExistantKey() to test the
>     behavior
>        of non-existent keys in isolation.
>
>        Modify EncryptedPropertiesTest#testGetProperty() to not expect an
>        Exception to be thrown in the case of a non-existant key.
>
>        Modify EncrypedPropertiesTest#testKeySet() to not depend on the
>     order
>        of the keys in the key set.
>
>        Combine EncrypedPropertiesTest#testStore()
>        and EncryptedPropertiesTest#testLoad() into
>        EncryptedProperties#testStoreLoad() as testLoad() depended on
>     testStore()
>        running first which I'm not sure junit/surefire guarantees.
>     Also modify
>        to write to and read from a byte array input and output stream
>     to avoid
>        managing a temporary file.
>
>        Remove EncryptedProperties#main(String[]) as it wasn't worth
>     porting the
>        above to it and mvn -Dtest=EncryptedPropertiesTest test is
>     functionally
>        equivalent to what was originally desired.
>
>        I think that's all...
>
>
>
>     2010-01-15 17:47:48 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Change setCurrentHTTP to not attempt to wrap a null request or null
>        response.
>
>
>     2010-01-15 11:34:55 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Lots of changes to rather broken tests in SafeFileTest. Tests that
>        were testing java.io.File were modified to actually test
>     SafeFile or
>        removed. Further, printing of test results and not using junit
>     was fixed.
>
>        As there haven't been major changes to SafeFile this change to
>        SafeFileTest will be commited to the 2.0 branch as well.
>
>
>     2010-01-15 03:48:25 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Fix HTTPUtilitiesTest that was trying to use the resources
>     directory
>        which was null causing a NPE.
>
>        This also adds some file test utilities for creating temporary
>     directories
>        and recursively removing them. This may be worth forwarding to
>     2.0 at
>        some point to help cleanup other file based unit tests there as
>     well.
>
>
>     2010-01-15 03:45:08 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Fix unix test in a similar fashion to how it was fixed in the
>        2.0 branch. This required the reimplemnentation/backport of
>        SecurityConfigurationWrapper for 1.4 as well.
>
>
>     2010-01-15 03:42:05 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Fix unix test that expects /bin/sh to be a directory.
>
>        Note that this was also previously fixed in the 2.0 branch.
>
>
>     2010-01-15 03:39:18 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Remove unneeded cast to DefaultSecurityConfiguration which also
>     prevents
>        other implementations of SecurityConfiguration from working.
>
>        Note that this was previously fixed in the 2.0 branch.
>
>
>     2010-01-14 12:43:11 HST  manico.james
>
>        validation doc cleanup
>
>     2010-01-13 14:58:20 HST  manico.james
>
>        documentation cleanup for validation
>
>     2010-01-13 14:42:05 HST  manico.james
>
>        documentation cleanup for validation
>
>     2009-12-13 18:12:09 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        CSSCodec:
>            switch back to back slash self for printable ascii
>        EncoderTest:
>            fix tests that got messed up by back ports and such
>            normalize still fails but this is known (issue 74)
>            double encoding fails and needs checking
>
>
>     2009-12-13 17:37:11 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        HashTrieTest#testValues() was throwing a ClassCastException in the
>        sort. It turns out Boolean is not Comparable in 1.4 but is in
>     1.5. This
>        has been changed to Integer in the 1.4 branch.
>
>
>     2009-12-13 17:10:02 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Fix issue 15 by extending HttpServlet{Request,Response}Wrapper
>     instead
>        of just implementing HttpServlet{Request,Response}. As this
>     change only
>        changes this classes super class (no longer java.lang.Object)
>     and the
>        interfaces are the same this shouldn't cause existing code issues.
>
>        This does fix the problem where containers expect to be able to
>     unwrap
>        their original request in the wrapped one.
>
>
>     2009-12-13 16:07:55 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        CSSCodec:
>            fix issues with backslash self for hex digits (issue 77)
>            split out tests from CodecTest
>            add tests to verify lack of regression for issue 77
>            change to not encode alphanumerics
>        HTMLEntityCodec:
>            fix theta/thetasym issues with decoding by backporting 2.0 fix
>                (issue 45)
>        JavaScriptCodec:
>            fix corner case which would throw a
>     IndexOutOfBoundsException (issue 78)
>            changed massive if (a) ret, if(b) ret, to switch statement
>        PercentCodec:
>            back port percent codec fixes for issue 75
>        CodecTest:
>            back ported to 1.4
>            modify some tests to work with 1.4 as 1.4 encodes
>     somethings differently
>
>        I think that's all...
>
>
>
>     2009-12-08 12:28:03 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Big nasty patch to back port the XMLEntityCodec to 1.4. This
>     includes
>        most of the functionality needed for the HTMLCodec fix which is
>     next. This
>        includes codec.HashTrieTest, util.NullSafe and
>     util.CollectionsUtil.
>
>        Two new classes have been added:
>
>        codec.AbstractCodec:
>
>        This is a base abstract codec.Codec implementation to
>        ease porting. In 1.4 Codec is a interface and in 2.0 it is a
>     abstract
>        class. Ports back to 1.4 ca use AbstractCodec as their base
>     instead.
>
>        util.PrimWrap:
>
>        This is a simple class to wrap primitives in their java.lang
>     classes. This
>        is here to help back porting of auto boxing code from the 2.0
>     branch. By
>        using this instead of new Character(), etc we can easily
>     implement our
>        own fly weight caching of these objects as 1.5 does in it's
>     auto boxing
>        if and when the overhead incurred in creating new objects each time
>        becomes a issue.
>
>
>
>     2009-12-08 12:11:30 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Remove use of sun proprietary normalize method. This breaks
>     this method's
>        functionality which I do not like. However, this is what has
>     been done
>        in the 2.0 branch. There is code commented out in the 2.0
>     branch to use
>        the new java.text.Normalize however that is only available in
>     1.6. To
>        make matters worse, the interface to the sun proprietary
>     version has
>        changed and, as is, this will not compile with latter jdks (at
>     least
>        1.6). I am adding a issue to document and remind us about this.
>
>
>
>     2009-12-07 12:53:53 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Change version of Junit library to 3.8.1 instead of 4.4. ESAPI
>     1.4 is
>        targeted at Java 1.4 and Junit 4 requires Java 1.5 (aka 5.0).
>     This change
>        allows tests to build with a Java 1.4 compiler.
>
>
>
>     2009-12-07 12:50:29 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        Backport current JSP tag libraries from 2.0rcs to 1.4.1rcs
>
>        No changes were needed.
>
>
>
>     2009-12-06 01:04:48 HST schallee at darkmist.net
>     <mailto:schallee at darkmist.net>
>
>        ignore and delete target directory
>
>
>     2009-12-04 19:26:17 HST  manico.james
>
>        update
>
>     2009-12-04 19:25:28 HST  manico.james
>
>        fix to ESAPI log4j configuration
>
>     2009-12-04 19:24:27 HST  manico.james
>
>        allowing configuration of Log4J logger in properties file
>
>     2009-12-04 19:21:07 HST  manico.james
>
>        setting perm ignore on target folder
>
>     2009-12-04 19:17:21 HST  manico.james
>
>        Log4J logger in the 1.4 style of logging is now compiling correctly
>
>     2009-12-04 18:55:53 HST  manico.james
>
>        fixing settings for forbidden apis (now just warn; normalize)
>
>     2009-12-04 18:48:00 HST  manico.james
>
>        more cleanup....
>
>     2009-12-04 18:02:33 HST  manico.james
>
>        fixed issues with Logging
>
>     2009-12-04 17:47:59 HST  manico.james
>
>        significant fixes to pom.xml
>
>     2009-12-04 17:40:19 HST  manico.james
>
>        more reorg of code for maven
>
>     2009-12-04 17:38:02 HST  manico.james
>
>        target should not be checked in, sorry (x3)
>
>     2009-12-04 17:37:38 HST  manico.james
>
>        more reorg of code for maven
>
>     2009-12-04 17:29:05 HST  manico.james
>
>        target should not be checked in, sorry (x2)
>
>     2009-12-04 17:28:33 HST  manico.james
>
>        moving code to proper directories
>
>     2009-12-04 17:24:46 HST  manico.james
>
>        target should not be checked in, sorry
>
>     2009-12-04 17:21:44 HST  manico.james
>
>        fixing pom...
>
>     2009-12-04 17:03:37 HST  manico.james
>
>        pom cleanup
>
>     2009-12-04 16:49:19 HST  manico.james
>
>        removed sealing code so building working for now.
>
>     2009-12-04 16:39:53 HST  manico.james
>
>        Maven integration working
>
>     2009-12-04 16:36:21 HST  manico.james
>
>        updating maven
>
>     2009-12-04 16:22:55 HST  manico.james
>
>        backwards compatible fix.
>
>     2009-12-04 16:02:34 HST  manico.james
>
>        upgrade to latest Eclipse
>
>     2009-12-04 16:02:19 HST  manico.james
>
>        Fix to OracleCodec, small formatting change to MySQLCodec
>
>


-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100127/731f4110/attachment.html 


More information about the Esapi-user mailing list