[Esapi-user] WAF problems

Jim Manico jim.manico at owasp.org
Wed Feb 2 22:40:52 EST 2011


If you are using the ESAPI 2.0 WAF,  take note. I noticed that there are a few instances where streams are not being closed properly. (I think) this could lead to a DOS or resource problem. Could you please confirm?

	private String getFileContents(File f) throws IOException {
		
		FileReader fr = new FileReader(f);
		StringBuffer sb = new StringBuffer();
		String line;
		BufferedReader br = new BufferedReader(fr); <- never released
		
		while( (line=br.readLine()) != null ) {
			sb.append(line + System.getProperty("line.separator"));
		}
		
		return sb.toString();
	}



and



	public void setConfiguration( String policyFilePath, String webRootDir ) throws FileNotFoundException {
		try {
			appGuardConfig = ConfigurationParser.readConfigurationFile(new FileInputStream(new File(policyFilePath)), webRootDir);
			lastConfigReadTime = System.currentTimeMillis();
			configurationFilename = policyFilePath;
		} catch (ConfigurationException e ) {
            // TODO: It would be ideal if this method through the ConfigurationException rather than catching it and
            // writing the error to the console.
			e.printStackTrace();
		}
	}



and

		/*
		 * Open up configuration file and populate the AppGuardian configuration object.
		 */

		try {

			String webRootDir = fc.getServletContext().getRealPath("/");
			appGuardConfig = ConfigurationParser.readConfigurationFile(new FileInputStream(configurationFilename),webRootDir);

			DOMConfigurator.configure(realLogSettingsFilename);

			lastConfigReadTime = System.currentTimeMillis();
			
		} catch (FileNotFoundException e) {
			throw new ServletException(e);
		} catch (ConfigurationException e) {
			throw new ServletException(e);
		}

	}


Thoughts?

- Jim


More information about the Esapi-user mailing list