[Esapi-user] WAF problems

Jeff Williams jeff.williams at aspectsecurity.com
Thu Feb 3 10:37:32 EST 2011

The best practice is to close these in a finally block (not always as
simple as it looks).  But my understanding is that there are built-in
finalizers that will close file handle streams when they're not used any
more.  Note that all three of these cases are very unlikely to be called
frequently, and no way for an attacker to make it happen, so the idea
that they represent a DOS vulnerability is remote to say the least.


-----Original Message-----
From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, February 02, 2011 10:41 PM
To: ESAPI-Developers; ESAPI Users List
Subject: [Esapi-user] WAF problems

If you are using the ESAPI 2.0 WAF,  take note. I noticed that there are
a few instances where streams are not being closed properly. (I think)
this could lead to a DOS or resource problem. Could you please confirm?

	private String getFileContents(File f) throws IOException {
		FileReader fr = new FileReader(f);
		StringBuffer sb = new StringBuffer();
		String line;
		BufferedReader br = new BufferedReader(fr); <- never
		while( (line=br.readLine()) != null ) {
			sb.append(line +
		return sb.toString();


	public void setConfiguration( String policyFilePath, String
webRootDir ) throws FileNotFoundException {
		try {
			appGuardConfig =
ConfigurationParser.readConfigurationFile(new FileInputStream(new
File(policyFilePath)), webRootDir);
			lastConfigReadTime = System.currentTimeMillis();
			configurationFilename = policyFilePath;
		} catch (ConfigurationException e ) {
            // TODO: It would be ideal if this method through the
ConfigurationException rather than catching it and
            // writing the error to the console.


		 * Open up configuration file and populate the
AppGuardian configuration object.

		try {

			String webRootDir =
			appGuardConfig =


			lastConfigReadTime = System.currentTimeMillis();
		} catch (FileNotFoundException e) {
			throw new ServletException(e);
		} catch (ConfigurationException e) {
			throw new ServletException(e);



- Jim
Esapi-user mailing list
Esapi-user at lists.owasp.org

More information about the Esapi-user mailing list