[Esapi-user] WAF problems

Jeff Williams jeff.williams at aspectsecurity.com
Thu Feb 3 10:37:32 EST 2011


The best practice is to close these in a finally block (not always as
simple as it looks).  But my understanding is that there are built-in
finalizers that will close file handle streams when they're not used any
more.  Note that all three of these cases are very unlikely to be called
frequently, and no way for an attacker to make it happen, so the idea
that they represent a DOS vulnerability is remote to say the least.

--Jeff


-----Original Message-----
From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, February 02, 2011 10:41 PM
To: ESAPI-Developers; ESAPI Users List
Subject: [Esapi-user] WAF problems

If you are using the ESAPI 2.0 WAF,  take note. I noticed that there are
a few instances where streams are not being closed properly. (I think)
this could lead to a DOS or resource problem. Could you please confirm?

	private String getFileContents(File f) throws IOException {
		
		FileReader fr = new FileReader(f);
		StringBuffer sb = new StringBuffer();
		String line;
		BufferedReader br = new BufferedReader(fr); <- never
released
		
		while( (line=br.readLine()) != null ) {
			sb.append(line +
System.getProperty("line.separator"));
		}
		
		return sb.toString();
	}



and



	public void setConfiguration( String policyFilePath, String
webRootDir ) throws FileNotFoundException {
		try {
			appGuardConfig =
ConfigurationParser.readConfigurationFile(new FileInputStream(new
File(policyFilePath)), webRootDir);
			lastConfigReadTime = System.currentTimeMillis();
			configurationFilename = policyFilePath;
		} catch (ConfigurationException e ) {
            // TODO: It would be ideal if this method through the
ConfigurationException rather than catching it and
            // writing the error to the console.
			e.printStackTrace();
		}
	}



and

		/*
		 * Open up configuration file and populate the
AppGuardian configuration object.
		 */

		try {

			String webRootDir =
fc.getServletContext().getRealPath("/");
			appGuardConfig =
ConfigurationParser.readConfigurationFile(new
FileInputStream(configurationFilename),webRootDir);

	
DOMConfigurator.configure(realLogSettingsFilename);

			lastConfigReadTime = System.currentTimeMillis();
			
		} catch (FileNotFoundException e) {
			throw new ServletException(e);
		} catch (ConfigurationException e) {
			throw new ServletException(e);
		}

	}


Thoughts?

- Jim
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list