[Esapi-user] [Esapi-dev] [OWASP-ESAPI] Vulnerability alerts ....

Mike Boberski mike.boberski at gmail.com
Wed Jan 27 18:02:34 EST 2010


My personal opinion is that that philosophy is more applicable to
enterprise apps and hosted services/apps than products. Esapi is a
product, doesn't matter that it's free, that attribute is irrelevant
for purposes of this discussion. Once that major version number goes
on, pencils down except for patches, and if there are an endless
stream of patches, there are greater problems from either techology or
process perspective or both. Fwiw, as are all my notes to the
interweb. Redhat or someone need to take the bull by the horns, inject
resources and more formal process, the php port for example is fun but
now I need that done more than I need entertainment.

On 1/27/10, Jim Manico <jim.manico at owasp.org> wrote:
>  > What is the goal/philosopsy of these point releases?
>
> http://en.wikipedia.org/wiki/Release_early,_release_often
>
>> I'm still a little bit concerned of the frequency of the 1.4 series
>> releases as of late.  GIven Bernie's other thread re: a mailing list
>> for vulerability patches, I don't want to consume 1.4.3 and then have
>> to retest everything when 1.4.4 comes out in order to remian PA-DSS
>> compliant.  What is the goal/philosopsy of these point releases?
>>
>> On Tue, Jan 26, 2010 at 5:01 PM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>>     > Not to make this more complicated, but as of a few short months
>>     ago, 1.4.0 was the most recent stable version of ESAPI.  jump
>>     ahead to today, and 1.4.3 was just recently released.
>>
>>     Yes, (I think that) as the project matures we will be releasing
>>     more often. "Release Early, Release Often!"
>>
>>
>>     > Is a point release like this going to have functionality or fixes?
>>
>>     Mostly just fixes. We have *added* new functionality that *helps*
>>     with integration (better configuration, mostly). But we are *not*
>>     changing any of the core interfaces in these point releases. I did
>>     add log4j support recently, but this is an "add on" that does not
>>     break backwards compatibility.
>>
>>     ESAPI 1.4.0 + 1.4.1 are honestly beta, at best. I do not recommend
>>     using either in a production environment. This is a controversial
>>     statement that is my opinion only. 1.4.2 is significantly more
>>     stable and 1.4.3 is mostly a fix to the unit test mechanism. At
>>     bare mininum, upgrade to ESAPI 1.4.2 now.
>>
>>     However, this does NOT apply to release candidates for the 2.0
>>     branch. We have been and will continue to change the core of the
>>     ESAPI 2.0 branch (trunk) until 2.0 is finalized (GA). Once 2.0 is
>>     at GA, I agree that we should not make core changes (ie: changes
>>     to the core interfaces).
>>
>>     Acceptable, Rob? Thoughts - anyone else?
>>
>>     - Jim
>>
>>
>>     2010-01-26 06:41:05 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Since 1.4.3 is out, fix version to 1.4.4-SNAPSHOT...
>>
>>
>>     2010-01-26 06:39:14 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Lots of little fixes for compiler warnings in eclipse in the 1.4
>>        branch. There are still a lot but now there are less...
>>
>>
>>     2010-01-26 01:18:45 HST  manico.james
>>
>>        1.4.3 final!
>>
>>     2010-01-24 11:07:43 HST  manico.james
>>
>>        code comment clarification for order of property file loading
>>
>>     2010-01-23 21:52:42 HST  manico.james
>>
>>         if .esapi folder not found or does not contain
>>     ESAPI.properties, look for a directory named 'resources' on the
>>     classpath
>>
>>     2010-01-21 08:31:11 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Unit test for previous commit.
>>
>>
>>     2010-01-21 08:15:35 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Handle null from getResource when a resource is not found.
>>     Instead of a
>>        NPE being thrown, a FileNotFoundException is which is inline
>>     with the
>>        javadocs for the method that say a IOException is thrown "If
>>     the file
>>        cannot be found or opended for reading."
>>
>>
>>     2010-01-21 08:13:23 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Change version from 1.4.2 to 1.4.3-SNAPSHOT so a stray mvn install
>>        doesn't mess up local repositories.
>>
>>
>>     2010-01-18 03:58:31 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Add wrapped getDisableIntrusionDetection() and change to concrete
>>        instead of abstract so missing methods cause compilation errors
>>     with
>>        this instead of subclasses of it (not that direct instances of this
>>        class are very useful...).
>>
>>
>>     2010-01-18 00:43:02 HST  manico.james
>>
>>        1.4.2 final!
>>
>>     2010-01-18 00:36:40 HST  manico.james
>>
>>        pom now titled 1.4.2
>>
>>     2010-01-17 19:58:51 HST  manico.james
>>
>>        backported spaces in resource paths per 1.5 changes
>>
>>     2010-01-17 15:49:29 HST  manico.james
>>
>>        cleanup of new intrusion disable code
>>
>>     2010-01-17 15:29:03 HST  manico.james
>>
>>        properly defaulting intrusion detection disabling to false
>>
>>     2010-01-17 15:00:10 HST  manico.james
>>
>>        Allows for complete disabling of the ESAPI intrusion detector.
>>     Reference implementation ESAPI.properties defaults intrusion
>>     detection to ON.
>>
>>     2010-01-17 14:41:54 HST  manico.james
>>
>>        deprecating encrypt/decrypt functions due to weak crypto
>>
>>     2010-01-17 13:41:00 HST  manico.james
>>
>>        undoing the 2.0->1.4 Encoder changes
>>
>>     2010-01-17 12:09:15 HST  manico.james
>>
>>        backported the entire 1.5 encoder mechanism back to 1.4
>>
>>     2010-01-17 12:04:31 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Make patterns private static in SafeFile instead of one per
>>     instance.
>>
>>        Remove some more characters from the tests so that it passes as
>>     is in
>>        windows. SafeFile needs work but now isn't the time for it.
>>
>>
>>
>>     2010-01-17 06:33:50 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Add commented sections of pom.xml and external-1.4-jdk.txt
>>     containing
>>        information on how to have Maven compile and run tests with an
>>     external
>>        1.4 JDK.
>>
>>
>>
>>     2010-01-16 16:53:23 HST  manico.james
>>
>>        Removing System.out.printlns
>>
>>     2010-01-16 16:51:34 HST  manico.james
>>
>>        Fix to filepath validation including relevant unit tests.
>>
>>     2010-01-16 15:42:47 HST  manico.james
>>
>>        normalize removed from codebase completely
>>
>>     2010-01-16 09:19:16 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Use the "basedir" system property to find the
>>     src/test/resources directory
>>        containing the config files for tests.
>>
>>
>>     2010-01-16 08:15:42 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Change the CSS encoding in 1.4 to be like the version in 2.0.
>>     Update
>>        the EncoderTest to handle this change.
>>
>>
>>     2010-01-16 00:43:55 HST  manico.james
>>
>>     http://code.google.com/p/owasp-esapi-java/issues/detail?id=90
>>     backported to the 1.4 branch
>>
>>     2010-01-15 19:18:16 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Fixes for Encryptedproperties, DefaultEncryptedProperties and
>>        EncryptedPropertiesTest in 1.4. These will be migrated to 2.0 in my
>>        next commit.
>>
>>        Modify DefaultEncrypedProperties#getProperty(String) to return
>>     null when
>>        the key does not exist. This is more inline with what users
>>     will expect
>>        as it is what java.util.Properties#getProperty(String) does.
>>     Previously
>>        this would throw a NullPointerException in
>>     Base64#decode(String) when
>>        it tried to decode null which was confusing at best.
>>
>>        Modify javadoc for EncryptedProperties#getProperty(String) to
>>     define
>>        the expected behavior in the case of a non-existent key.
>>
>>        Add EncryptedPropertiesTest#testNonExistantKey() to test the
>>     behavior
>>        of non-existent keys in isolation.
>>
>>        Modify EncryptedPropertiesTest#testGetProperty() to not expect an
>>        Exception to be thrown in the case of a non-existant key.
>>
>>        Modify EncrypedPropertiesTest#testKeySet() to not depend on the
>>     order
>>        of the keys in the key set.
>>
>>        Combine EncrypedPropertiesTest#testStore()
>>        and EncryptedPropertiesTest#testLoad() into
>>        EncryptedProperties#testStoreLoad() as testLoad() depended on
>>     testStore()
>>        running first which I'm not sure junit/surefire guarantees.
>>     Also modify
>>        to write to and read from a byte array input and output stream
>>     to avoid
>>        managing a temporary file.
>>
>>        Remove EncryptedProperties#main(String[]) as it wasn't worth
>>     porting the
>>        above to it and mvn -Dtest=EncryptedPropertiesTest test is
>>     functionally
>>        equivalent to what was originally desired.
>>
>>        I think that's all...
>>
>>
>>
>>     2010-01-15 17:47:48 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Change setCurrentHTTP to not attempt to wrap a null request or null
>>        response.
>>
>>
>>     2010-01-15 11:34:55 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Lots of changes to rather broken tests in SafeFileTest. Tests that
>>        were testing java.io.File were modified to actually test
>>     SafeFile or
>>        removed. Further, printing of test results and not using junit
>>     was fixed.
>>
>>        As there haven't been major changes to SafeFile this change to
>>        SafeFileTest will be commited to the 2.0 branch as well.
>>
>>
>>     2010-01-15 03:48:25 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Fix HTTPUtilitiesTest that was trying to use the resources
>>     directory
>>        which was null causing a NPE.
>>
>>        This also adds some file test utilities for creating temporary
>>     directories
>>        and recursively removing them. This may be worth forwarding to
>>     2.0 at
>>        some point to help cleanup other file based unit tests there as
>>     well.
>>
>>
>>     2010-01-15 03:45:08 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Fix unix test in a similar fashion to how it was fixed in the
>>        2.0 branch. This required the reimplemnentation/backport of
>>        SecurityConfigurationWrapper for 1.4 as well.
>>
>>
>>     2010-01-15 03:42:05 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Fix unix test that expects /bin/sh to be a directory.
>>
>>        Note that this was also previously fixed in the 2.0 branch.
>>
>>
>>     2010-01-15 03:39:18 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Remove unneeded cast to DefaultSecurityConfiguration which also
>>     prevents
>>        other implementations of SecurityConfiguration from working.
>>
>>        Note that this was previously fixed in the 2.0 branch.
>>
>>
>>     2010-01-14 12:43:11 HST  manico.james
>>
>>        validation doc cleanup
>>
>>     2010-01-13 14:58:20 HST  manico.james
>>
>>        documentation cleanup for validation
>>
>>     2010-01-13 14:42:05 HST  manico.james
>>
>>        documentation cleanup for validation
>>
>>     2009-12-13 18:12:09 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        CSSCodec:
>>            switch back to back slash self for printable ascii
>>        EncoderTest:
>>            fix tests that got messed up by back ports and such
>>            normalize still fails but this is known (issue 74)
>>            double encoding fails and needs checking
>>
>>
>>     2009-12-13 17:37:11 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        HashTrieTest#testValues() was throwing a ClassCastException in the
>>        sort. It turns out Boolean is not Comparable in 1.4 but is in
>>     1.5. This
>>        has been changed to Integer in the 1.4 branch.
>>
>>
>>     2009-12-13 17:10:02 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Fix issue 15 by extending HttpServlet{Request,Response}Wrapper
>>     instead
>>        of just implementing HttpServlet{Request,Response}. As this
>>     change only
>>        changes this classes super class (no longer java.lang.Object)
>>     and the
>>        interfaces are the same this shouldn't cause existing code issues.
>>
>>        This does fix the problem where containers expect to be able to
>>     unwrap
>>        their original request in the wrapped one.
>>
>>
>>     2009-12-13 16:07:55 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        CSSCodec:
>>            fix issues with backslash self for hex digits (issue 77)
>>            split out tests from CodecTest
>>            add tests to verify lack of regression for issue 77
>>            change to not encode alphanumerics
>>        HTMLEntityCodec:
>>            fix theta/thetasym issues with decoding by backporting 2.0 fix
>>                (issue 45)
>>        JavaScriptCodec:
>>            fix corner case which would throw a
>>     IndexOutOfBoundsException (issue 78)
>>            changed massive if (a) ret, if(b) ret, to switch statement
>>        PercentCodec:
>>            back port percent codec fixes for issue 75
>>        CodecTest:
>>            back ported to 1.4
>>            modify some tests to work with 1.4 as 1.4 encodes
>>     somethings differently
>>
>>        I think that's all...
>>
>>
>>
>>     2009-12-08 12:28:03 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Big nasty patch to back port the XMLEntityCodec to 1.4. This
>>     includes
>>        most of the functionality needed for the HTMLCodec fix which is
>>     next. This
>>        includes codec.HashTrieTest, util.NullSafe and
>>     util.CollectionsUtil.
>>
>>        Two new classes have been added:
>>
>>        codec.AbstractCodec:
>>
>>        This is a base abstract codec.Codec implementation to
>>        ease porting. In 1.4 Codec is a interface and in 2.0 it is a
>>     abstract
>>        class. Ports back to 1.4 ca use AbstractCodec as their base
>>     instead.
>>
>>        util.PrimWrap:
>>
>>        This is a simple class to wrap primitives in their java.lang
>>     classes. This
>>        is here to help back porting of auto boxing code from the 2.0
>>     branch. By
>>        using this instead of new Character(), etc we can easily
>>     implement our
>>        own fly weight caching of these objects as 1.5 does in it's
>>     auto boxing
>>        if and when the overhead incurred in creating new objects each time
>>        becomes a issue.
>>
>>
>>
>>     2009-12-08 12:11:30 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Remove use of sun proprietary normalize method. This breaks
>>     this method's
>>        functionality which I do not like. However, this is what has
>>     been done
>>        in the 2.0 branch. There is code commented out in the 2.0
>>     branch to use
>>        the new java.text.Normalize however that is only available in
>>     1.6. To
>>        make matters worse, the interface to the sun proprietary
>>     version has
>>        changed and, as is, this will not compile with latter jdks (at
>>     least
>>        1.6). I am adding a issue to document and remind us about this.
>>
>>
>>
>>     2009-12-07 12:53:53 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Change version of Junit library to 3.8.1 instead of 4.4. ESAPI
>>     1.4 is
>>        targeted at Java 1.4 and Junit 4 requires Java 1.5 (aka 5.0).
>>     This change
>>        allows tests to build with a Java 1.4 compiler.
>>
>>
>>
>>     2009-12-07 12:50:29 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        Backport current JSP tag libraries from 2.0rcs to 1.4.1rcs
>>
>>        No changes were needed.
>>
>>
>>
>>     2009-12-06 01:04:48 HST schallee at darkmist.net
>>     <mailto:schallee at darkmist.net>
>>
>>        ignore and delete target directory
>>
>>
>>     2009-12-04 19:26:17 HST  manico.james
>>
>>        update
>>
>>     2009-12-04 19:25:28 HST  manico.james
>>
>>        fix to ESAPI log4j configuration
>>
>>     2009-12-04 19:24:27 HST  manico.james
>>
>>        allowing configuration of Log4J logger in properties file
>>
>>     2009-12-04 19:21:07 HST  manico.james
>>
>>        setting perm ignore on target folder
>>
>>     2009-12-04 19:17:21 HST  manico.james
>>
>>        Log4J logger in the 1.4 style of logging is now compiling correctly
>>
>>     2009-12-04 18:55:53 HST  manico.james
>>
>>        fixing settings for forbidden apis (now just warn; normalize)
>>
>>     2009-12-04 18:48:00 HST  manico.james
>>
>>        more cleanup....
>>
>>     2009-12-04 18:02:33 HST  manico.james
>>
>>        fixed issues with Logging
>>
>>     2009-12-04 17:47:59 HST  manico.james
>>
>>        significant fixes to pom.xml
>>
>>     2009-12-04 17:40:19 HST  manico.james
>>
>>        more reorg of code for maven
>>
>>     2009-12-04 17:38:02 HST  manico.james
>>
>>        target should not be checked in, sorry (x3)
>>
>>     2009-12-04 17:37:38 HST  manico.james
>>
>>        more reorg of code for maven
>>
>>     2009-12-04 17:29:05 HST  manico.james
>>
>>        target should not be checked in, sorry (x2)
>>
>>     2009-12-04 17:28:33 HST  manico.james
>>
>>        moving code to proper directories
>>
>>     2009-12-04 17:24:46 HST  manico.james
>>
>>        target should not be checked in, sorry
>>
>>     2009-12-04 17:21:44 HST  manico.james
>>
>>        fixing pom...
>>
>>     2009-12-04 17:03:37 HST  manico.james
>>
>>        pom cleanup
>>
>>     2009-12-04 16:49:19 HST  manico.james
>>
>>        removed sealing code so building working for now.
>>
>>     2009-12-04 16:39:53 HST  manico.james
>>
>>        Maven integration working
>>
>>     2009-12-04 16:36:21 HST  manico.james
>>
>>        updating maven
>>
>>     2009-12-04 16:22:55 HST  manico.james
>>
>>        backwards compatible fix.
>>
>>     2009-12-04 16:02:34 HST  manico.james
>>
>>        upgrade to latest Eclipse
>>
>>     2009-12-04 16:02:19 HST  manico.james
>>
>>        Fix to OracleCodec, small formatting change to MySQLCodec
>>
>>
>
>
> --
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Manager
> http://www.manico.net
>
>


-- 
Mike


More information about the Esapi-user mailing list