[Esapi-user] [Esapi-dev] [OWASP-ESAPI] Vulnerability alerts ....

Jim Manico jim.manico at owasp.org
Wed Jan 27 18:16:45 EST 2010


The truth is that we rushed out ESAPI 1.4.0 with a *large *number of 
bugs - but this was somewhat disclosed since many of our unit tests did 
not pass. Each of these point releases increase the quality and 
integrity of the project.

I plan to release 1.4.4 this or next week so we finally, _*for the first 
time*_, actually pass all the unit tests within the 1.4 branch. We will 
slow down releases after 1.4.4 unless something critical comes up.

ESAPI 2.0 has a more mature release process in place We are on the 4th 
release *candidate* and do not intend to promote it to GA until we have 
a release quality product.

I feel personally ashamed for all of the bleeding that early adopters of 
ESAPI 1.4 have experienced. I get a lot of off-list email with a wide 
variety of questions and problems.

But I feel that 1.4.4 will bring us to a place of better integrity with 
ESAPI 1.4, which is why I wish to release it soon.

And we should all thank Ed Shaller for his many efforts in cleaning up 
the 1.4 branch.

-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net





> My personal opinion is that that philosophy is more applicable to
> enterprise apps and hosted services/apps than products. Esapi is a
> product, doesn't matter that it's free, that attribute is irrelevant
> for purposes of this discussion. Once that major version number goes
> on, pencils down except for patches, and if there are an endless
> stream of patches, there are greater problems from either techology or
> process perspective or both. Fwiw, as are all my notes to the
> interweb. Redhat or someone need to take the bull by the horns, inject
> resources and more formal process, the php port for example is fun but
> now I need that done more than I need entertainment.
>
> On 1/27/10, Jim Manico<jim.manico at owasp.org>  wrote:
>    
>>   >  What is the goal/philosopsy of these point releases?
>>
>> http://en.wikipedia.org/wiki/Release_early,_release_often
>>
>>      
>>> I'm still a little bit concerned of the frequency of the 1.4 series
>>> releases as of late.  GIven Bernie's other thread re: a mailing list
>>> for vulerability patches, I don't want to consume 1.4.3 and then have
>>> to retest everything when 1.4.4 comes out in order to remian PA-DSS
>>> compliant.  What is the goal/philosopsy of these point releases?
>>>
>>> On Tue, Jan 26, 2010 at 5:01 PM, Jim Manico<jim.manico at owasp.org
>>> <mailto:jim.manico at owasp.org>>  wrote:
>>>
>>>      >  Not to make this more complicated, but as of a few short months
>>>      ago, 1.4.0 was the most recent stable version of ESAPI.  jump
>>>      ahead to today, and 1.4.3 was just recently released.
>>>
>>>      Yes, (I think that) as the project matures we will be releasing
>>>      more often. "Release Early, Release Often!"
>>>
>>>
>>>      >  Is a point release like this going to have functionality or fixes?
>>>
>>>      Mostly just fixes. We have *added* new functionality that *helps*
>>>      with integration (better configuration, mostly). But we are *not*
>>>      changing any of the core interfaces in these point releases. I did
>>>      add log4j support recently, but this is an "add on" that does not
>>>      break backwards compatibility.
>>>
>>>      ESAPI 1.4.0 + 1.4.1 are honestly beta, at best. I do not recommend
>>>      using either in a production environment. This is a controversial
>>>      statement that is my opinion only. 1.4.2 is significantly more
>>>      stable and 1.4.3 is mostly a fix to the unit test mechanism. At
>>>      bare mininum, upgrade to ESAPI 1.4.2 now.
>>>
>>>      However, this does NOT apply to release candidates for the 2.0
>>>      branch. We have been and will continue to change the core of the
>>>      ESAPI 2.0 branch (trunk) until 2.0 is finalized (GA). Once 2.0 is
>>>      at GA, I agree that we should not make core changes (ie: changes
>>>      to the core interfaces).
>>>
>>>      Acceptable, Rob? Thoughts - anyone else?
>>>
>>>      - Jim
>>>
>>>
>>>      2010-01-26 06:41:05 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Since 1.4.3 is out, fix version to 1.4.4-SNAPSHOT...
>>>
>>>
>>>      2010-01-26 06:39:14 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Lots of little fixes for compiler warnings in eclipse in the 1.4
>>>         branch. There are still a lot but now there are less...
>>>
>>>
>>>      2010-01-26 01:18:45 HST  manico.james
>>>
>>>         1.4.3 final!
>>>
>>>      2010-01-24 11:07:43 HST  manico.james
>>>
>>>         code comment clarification for order of property file loading
>>>
>>>      2010-01-23 21:52:42 HST  manico.james
>>>
>>>          if .esapi folder not found or does not contain
>>>      ESAPI.properties, look for a directory named 'resources' on the
>>>      classpath
>>>
>>>      2010-01-21 08:31:11 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Unit test for previous commit.
>>>
>>>
>>>      2010-01-21 08:15:35 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Handle null from getResource when a resource is not found.
>>>      Instead of a
>>>         NPE being thrown, a FileNotFoundException is which is inline
>>>      with the
>>>         javadocs for the method that say a IOException is thrown "If
>>>      the file
>>>         cannot be found or opended for reading."
>>>
>>>
>>>      2010-01-21 08:13:23 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Change version from 1.4.2 to 1.4.3-SNAPSHOT so a stray mvn install
>>>         doesn't mess up local repositories.
>>>
>>>
>>>      2010-01-18 03:58:31 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Add wrapped getDisableIntrusionDetection() and change to concrete
>>>         instead of abstract so missing methods cause compilation errors
>>>      with
>>>         this instead of subclasses of it (not that direct instances of this
>>>         class are very useful...).
>>>
>>>
>>>      2010-01-18 00:43:02 HST  manico.james
>>>
>>>         1.4.2 final!
>>>
>>>      2010-01-18 00:36:40 HST  manico.james
>>>
>>>         pom now titled 1.4.2
>>>
>>>      2010-01-17 19:58:51 HST  manico.james
>>>
>>>         backported spaces in resource paths per 1.5 changes
>>>
>>>      2010-01-17 15:49:29 HST  manico.james
>>>
>>>         cleanup of new intrusion disable code
>>>
>>>      2010-01-17 15:29:03 HST  manico.james
>>>
>>>         properly defaulting intrusion detection disabling to false
>>>
>>>      2010-01-17 15:00:10 HST  manico.james
>>>
>>>         Allows for complete disabling of the ESAPI intrusion detector.
>>>      Reference implementation ESAPI.properties defaults intrusion
>>>      detection to ON.
>>>
>>>      2010-01-17 14:41:54 HST  manico.james
>>>
>>>         deprecating encrypt/decrypt functions due to weak crypto
>>>
>>>      2010-01-17 13:41:00 HST  manico.james
>>>
>>>         undoing the 2.0->1.4 Encoder changes
>>>
>>>      2010-01-17 12:09:15 HST  manico.james
>>>
>>>         backported the entire 1.5 encoder mechanism back to 1.4
>>>
>>>      2010-01-17 12:04:31 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Make patterns private static in SafeFile instead of one per
>>>      instance.
>>>
>>>         Remove some more characters from the tests so that it passes as
>>>      is in
>>>         windows. SafeFile needs work but now isn't the time for it.
>>>
>>>
>>>
>>>      2010-01-17 06:33:50 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Add commented sections of pom.xml and external-1.4-jdk.txt
>>>      containing
>>>         information on how to have Maven compile and run tests with an
>>>      external
>>>         1.4 JDK.
>>>
>>>
>>>
>>>      2010-01-16 16:53:23 HST  manico.james
>>>
>>>         Removing System.out.printlns
>>>
>>>      2010-01-16 16:51:34 HST  manico.james
>>>
>>>         Fix to filepath validation including relevant unit tests.
>>>
>>>      2010-01-16 15:42:47 HST  manico.james
>>>
>>>         normalize removed from codebase completely
>>>
>>>      2010-01-16 09:19:16 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Use the "basedir" system property to find the
>>>      src/test/resources directory
>>>         containing the config files for tests.
>>>
>>>
>>>      2010-01-16 08:15:42 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Change the CSS encoding in 1.4 to be like the version in 2.0.
>>>      Update
>>>         the EncoderTest to handle this change.
>>>
>>>
>>>      2010-01-16 00:43:55 HST  manico.james
>>>
>>>      http://code.google.com/p/owasp-esapi-java/issues/detail?id=90
>>>      backported to the 1.4 branch
>>>
>>>      2010-01-15 19:18:16 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Fixes for Encryptedproperties, DefaultEncryptedProperties and
>>>         EncryptedPropertiesTest in 1.4. These will be migrated to 2.0 in my
>>>         next commit.
>>>
>>>         Modify DefaultEncrypedProperties#getProperty(String) to return
>>>      null when
>>>         the key does not exist. This is more inline with what users
>>>      will expect
>>>         as it is what java.util.Properties#getProperty(String) does.
>>>      Previously
>>>         this would throw a NullPointerException in
>>>      Base64#decode(String) when
>>>         it tried to decode null which was confusing at best.
>>>
>>>         Modify javadoc for EncryptedProperties#getProperty(String) to
>>>      define
>>>         the expected behavior in the case of a non-existent key.
>>>
>>>         Add EncryptedPropertiesTest#testNonExistantKey() to test the
>>>      behavior
>>>         of non-existent keys in isolation.
>>>
>>>         Modify EncryptedPropertiesTest#testGetProperty() to not expect an
>>>         Exception to be thrown in the case of a non-existant key.
>>>
>>>         Modify EncrypedPropertiesTest#testKeySet() to not depend on the
>>>      order
>>>         of the keys in the key set.
>>>
>>>         Combine EncrypedPropertiesTest#testStore()
>>>         and EncryptedPropertiesTest#testLoad() into
>>>         EncryptedProperties#testStoreLoad() as testLoad() depended on
>>>      testStore()
>>>         running first which I'm not sure junit/surefire guarantees.
>>>      Also modify
>>>         to write to and read from a byte array input and output stream
>>>      to avoid
>>>         managing a temporary file.
>>>
>>>         Remove EncryptedProperties#main(String[]) as it wasn't worth
>>>      porting the
>>>         above to it and mvn -Dtest=EncryptedPropertiesTest test is
>>>      functionally
>>>         equivalent to what was originally desired.
>>>
>>>         I think that's all...
>>>
>>>
>>>
>>>      2010-01-15 17:47:48 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Change setCurrentHTTP to not attempt to wrap a null request or null
>>>         response.
>>>
>>>
>>>      2010-01-15 11:34:55 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Lots of changes to rather broken tests in SafeFileTest. Tests that
>>>         were testing java.io.File were modified to actually test
>>>      SafeFile or
>>>         removed. Further, printing of test results and not using junit
>>>      was fixed.
>>>
>>>         As there haven't been major changes to SafeFile this change to
>>>         SafeFileTest will be commited to the 2.0 branch as well.
>>>
>>>
>>>      2010-01-15 03:48:25 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Fix HTTPUtilitiesTest that was trying to use the resources
>>>      directory
>>>         which was null causing a NPE.
>>>
>>>         This also adds some file test utilities for creating temporary
>>>      directories
>>>         and recursively removing them. This may be worth forwarding to
>>>      2.0 at
>>>         some point to help cleanup other file based unit tests there as
>>>      well.
>>>
>>>
>>>      2010-01-15 03:45:08 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Fix unix test in a similar fashion to how it was fixed in the
>>>         2.0 branch. This required the reimplemnentation/backport of
>>>         SecurityConfigurationWrapper for 1.4 as well.
>>>
>>>
>>>      2010-01-15 03:42:05 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Fix unix test that expects /bin/sh to be a directory.
>>>
>>>         Note that this was also previously fixed in the 2.0 branch.
>>>
>>>
>>>      2010-01-15 03:39:18 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Remove unneeded cast to DefaultSecurityConfiguration which also
>>>      prevents
>>>         other implementations of SecurityConfiguration from working.
>>>
>>>         Note that this was previously fixed in the 2.0 branch.
>>>
>>>
>>>      2010-01-14 12:43:11 HST  manico.james
>>>
>>>         validation doc cleanup
>>>
>>>      2010-01-13 14:58:20 HST  manico.james
>>>
>>>         documentation cleanup for validation
>>>
>>>      2010-01-13 14:42:05 HST  manico.james
>>>
>>>         documentation cleanup for validation
>>>
>>>      2009-12-13 18:12:09 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         CSSCodec:
>>>             switch back to back slash self for printable ascii
>>>         EncoderTest:
>>>             fix tests that got messed up by back ports and such
>>>             normalize still fails but this is known (issue 74)
>>>             double encoding fails and needs checking
>>>
>>>
>>>      2009-12-13 17:37:11 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         HashTrieTest#testValues() was throwing a ClassCastException in the
>>>         sort. It turns out Boolean is not Comparable in 1.4 but is in
>>>      1.5. This
>>>         has been changed to Integer in the 1.4 branch.
>>>
>>>
>>>      2009-12-13 17:10:02 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Fix issue 15 by extending HttpServlet{Request,Response}Wrapper
>>>      instead
>>>         of just implementing HttpServlet{Request,Response}. As this
>>>      change only
>>>         changes this classes super class (no longer java.lang.Object)
>>>      and the
>>>         interfaces are the same this shouldn't cause existing code issues.
>>>
>>>         This does fix the problem where containers expect to be able to
>>>      unwrap
>>>         their original request in the wrapped one.
>>>
>>>
>>>      2009-12-13 16:07:55 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         CSSCodec:
>>>             fix issues with backslash self for hex digits (issue 77)
>>>             split out tests from CodecTest
>>>             add tests to verify lack of regression for issue 77
>>>             change to not encode alphanumerics
>>>         HTMLEntityCodec:
>>>             fix theta/thetasym issues with decoding by backporting 2.0 fix
>>>                 (issue 45)
>>>         JavaScriptCodec:
>>>             fix corner case which would throw a
>>>      IndexOutOfBoundsException (issue 78)
>>>             changed massive if (a) ret, if(b) ret, to switch statement
>>>         PercentCodec:
>>>             back port percent codec fixes for issue 75
>>>         CodecTest:
>>>             back ported to 1.4
>>>             modify some tests to work with 1.4 as 1.4 encodes
>>>      somethings differently
>>>
>>>         I think that's all...
>>>
>>>
>>>
>>>      2009-12-08 12:28:03 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Big nasty patch to back port the XMLEntityCodec to 1.4. This
>>>      includes
>>>         most of the functionality needed for the HTMLCodec fix which is
>>>      next. This
>>>         includes codec.HashTrieTest, util.NullSafe and
>>>      util.CollectionsUtil.
>>>
>>>         Two new classes have been added:
>>>
>>>         codec.AbstractCodec:
>>>
>>>         This is a base abstract codec.Codec implementation to
>>>         ease porting. In 1.4 Codec is a interface and in 2.0 it is a
>>>      abstract
>>>         class. Ports back to 1.4 ca use AbstractCodec as their base
>>>      instead.
>>>
>>>         util.PrimWrap:
>>>
>>>         This is a simple class to wrap primitives in their java.lang
>>>      classes. This
>>>         is here to help back porting of auto boxing code from the 2.0
>>>      branch. By
>>>         using this instead of new Character(), etc we can easily
>>>      implement our
>>>         own fly weight caching of these objects as 1.5 does in it's
>>>      auto boxing
>>>         if and when the overhead incurred in creating new objects each time
>>>         becomes a issue.
>>>
>>>
>>>
>>>      2009-12-08 12:11:30 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Remove use of sun proprietary normalize method. This breaks
>>>      this method's
>>>         functionality which I do not like. However, this is what has
>>>      been done
>>>         in the 2.0 branch. There is code commented out in the 2.0
>>>      branch to use
>>>         the new java.text.Normalize however that is only available in
>>>      1.6. To
>>>         make matters worse, the interface to the sun proprietary
>>>      version has
>>>         changed and, as is, this will not compile with latter jdks (at
>>>      least
>>>         1.6). I am adding a issue to document and remind us about this.
>>>
>>>
>>>
>>>      2009-12-07 12:53:53 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Change version of Junit library to 3.8.1 instead of 4.4. ESAPI
>>>      1.4 is
>>>         targeted at Java 1.4 and Junit 4 requires Java 1.5 (aka 5.0).
>>>      This change
>>>         allows tests to build with a Java 1.4 compiler.
>>>
>>>
>>>
>>>      2009-12-07 12:50:29 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         Backport current JSP tag libraries from 2.0rcs to 1.4.1rcs
>>>
>>>         No changes were needed.
>>>
>>>
>>>
>>>      2009-12-06 01:04:48 HST schallee at darkmist.net
>>>      <mailto:schallee at darkmist.net>
>>>
>>>         ignore and delete target directory
>>>
>>>
>>>      2009-12-04 19:26:17 HST  manico.james
>>>
>>>         update
>>>
>>>      2009-12-04 19:25:28 HST  manico.james
>>>
>>>         fix to ESAPI log4j configuration
>>>
>>>      2009-12-04 19:24:27 HST  manico.james
>>>
>>>         allowing configuration of Log4J logger in properties file
>>>
>>>      2009-12-04 19:21:07 HST  manico.james
>>>
>>>         setting perm ignore on target folder
>>>
>>>      2009-12-04 19:17:21 HST  manico.james
>>>
>>>         Log4J logger in the 1.4 style of logging is now compiling correctly
>>>
>>>      2009-12-04 18:55:53 HST  manico.james
>>>
>>>         fixing settings for forbidden apis (now just warn; normalize)
>>>
>>>      2009-12-04 18:48:00 HST  manico.james
>>>
>>>         more cleanup....
>>>
>>>      2009-12-04 18:02:33 HST  manico.james
>>>
>>>         fixed issues with Logging
>>>
>>>      2009-12-04 17:47:59 HST  manico.james
>>>
>>>         significant fixes to pom.xml
>>>
>>>      2009-12-04 17:40:19 HST  manico.james
>>>
>>>         more reorg of code for maven
>>>
>>>      2009-12-04 17:38:02 HST  manico.james
>>>
>>>         target should not be checked in, sorry (x3)
>>>
>>>      2009-12-04 17:37:38 HST  manico.james
>>>
>>>         more reorg of code for maven
>>>
>>>      2009-12-04 17:29:05 HST  manico.james
>>>
>>>         target should not be checked in, sorry (x2)
>>>
>>>      2009-12-04 17:28:33 HST  manico.james
>>>
>>>         moving code to proper directories
>>>
>>>      2009-12-04 17:24:46 HST  manico.james
>>>
>>>         target should not be checked in, sorry
>>>
>>>      2009-12-04 17:21:44 HST  manico.james
>>>
>>>         fixing pom...
>>>
>>>      2009-12-04 17:03:37 HST  manico.james
>>>
>>>         pom cleanup
>>>
>>>      2009-12-04 16:49:19 HST  manico.james
>>>
>>>         removed sealing code so building working for now.
>>>
>>>      2009-12-04 16:39:53 HST  manico.james
>>>
>>>         Maven integration working
>>>
>>>      2009-12-04 16:36:21 HST  manico.james
>>>
>>>         updating maven
>>>
>>>      2009-12-04 16:22:55 HST  manico.james
>>>
>>>         backwards compatible fix.
>>>
>>>      2009-12-04 16:02:34 HST  manico.james
>>>
>>>         upgrade to latest Eclipse
>>>
>>>      2009-12-04 16:02:19 HST  manico.james
>>>
>>>         Fix to OracleCodec, small formatting change to MySQLCodec
>>>
>>>
>>>        
>>
>> --
>> Jim Manico
>> OWASP Podcast Host/Producer
>> OWASP ESAPI Project Manager
>> http://www.manico.net
>>
>>
>>      
>
>    


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100127/fe539d6b/attachment.html 


More information about the Esapi-user mailing list