[Esapi-user] Esapi-user Digest, Vol 20, Issue 12

Jim Manico jim.manico at owasp.org
Wed Jul 27 18:34:34 EDT 2011


Jeff,

I agree these encoders belong in ESAPI but only as a last resort.

Case and point: You can change Oracles escape character dynamically and the
JDBC driver would pick that up, but a hard coded escape function would not,
leaving you injectable.

But still Jeff, as a last resort or as a stopgap measure, I agree.

- Jim Manico

On Jul 27, 2011, at 5:27 PM, "Jeff Williams" <
jeff.williams at aspectsecurity.com> wrote:

Perhaps he is interested in canonicalization?  There are plenty of good
reasons to have a SQLServer codec in ESAPI.

There were some discussions around this a while back, and maybe even an
implementation.  Would you be interested in helping put this together?

--Jeff



On Jul 27, 2011, at 5:22 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

Rama,

This is a deeply fragile way to stop XSS. Can you just use parameterized
queries with data binding? We heavily recommend this as the best way to stop
SQL injection.

- Jim Manico

On Jul 27, 2011, at 12:48 PM, Rama Krishna Pathangi <<rpathangi at hotmail.com>
rpathangi at hotmail.com> wrote:

Hello,

We are currently using ESAPI 2.0 GA.
In line with the following, I was wondering if we can have a codec for
SQLServer in your future release.
SAPI.encoder().encodeForSQL( new OracleCodec(), dirtyString );
SAPI.encoder().encodeForSQL( new DB2Codec(), dirtyString );

--
Rama Krishna Rao Pathangi
[c] 1 503 962 9480
[f]  1 801 409 7951


> From: <esapi-user-request at lists.owasp.org><esapi-user-request at lists.owasp.org>
esapi-user-request at lists.owasp.org
> Subject: Esapi-user Digest, Vol 20, Issue 12
> To: <esapi-user at lists.owasp.org> <esapi-user at lists.owasp.org>
esapi-user at lists.owasp.org
> Date: Wed, 27 Jul 2011 12:00:05 -0400
>
> Send Esapi-user mailing list submissions to
> <esapi-user at lists.owasp.org> <esapi-user at lists.owasp.org>
esapi-user at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> <https://lists.owasp.org/mailman/listinfo/esapi-user><https://lists.owasp.org/mailman/listinfo/esapi-user>
https://lists.owasp.org/mailman/listinfo/esapi-user
> or, via email, send a message with subject or body 'help' to
> <esapi-user-request at lists.owasp.org> <esapi-user-request at lists.owasp.org>
esapi-user-request at lists.owasp.org
>
> You can reach the person managing the list at
> <esapi-user-owner at lists.owasp.org> <esapi-user-owner at lists.owasp.org>
esapi-user-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Esapi-user digest..."
>
>
> Today's Topics:
>
> 1. Re: [Esapi-dev] ESAPI 2.0.1 Released (Dave Wolf)
> 2. Fwd: .NET and Java WAF (Christian Heinrich)
> 3. Re: .NET and Java WAF (Jim Manico)
> 4. Re: [Esapi-dev] .NET and Java WAF (Kevin W. Wall)
> 5. Re: [GPC] Fwd: .NET and Java WAF (Jason Li)
> 6. using SafeRequest (Normando Macaraeg)
> 7. Re: using SafeRequest (Kevin W. Wall)
> 8. Re: [Esapi-dev] .NET and Java WAF (Christian Heinrich)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 26 Jul 2011 17:14:12 +0000
> From: Dave Wolf < <dave.wolf at gmail.com>dave.wolf at gmail.com>
> Subject: Re: [Esapi-user] [Esapi-dev] ESAPI 2.0.1 Released
> To: ESAPI Dev List < <esapi-dev at lists.owasp.org>esapi-dev at lists.owasp.org
>,
> " <Esapi-user at lists.owasp.org>Esapi-user at lists.owasp.org" <<Esapi-user at lists.owasp.org>
Esapi-user at lists.owasp.org>
> Message-ID:
> < <CAF1Q6Q3EHDgAwCheTt6e9E3HmZd+smu3eVSkEj8dqpHV1nRpyA at mail.gmail.com>
CAF1Q6Q3EHDgAwCheTt6e9E3HmZd+smu3eVSkEj8dqpHV1nRpyA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> FYI, I'm not finding 2.0.1 on Maven Central. The most current release that
> shows up is 2.0GA. I'm searching using:
> g:"org.owasp.esapi" AND a:"esapi" AND v:"2.0.1"
>
> Any ideas what is going on?
>
> Thanks,
>
> Dave Wolf
>
> Date: Mon, 25 Jul 2011 08:01:35 -0400
> From: "Kevin W. Wall" < <kevin.w.wall at gmail.com>kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-dev] ESAPI 2.0.1 Released
> To: Chris Schmidt < <chris.schmidt at owasp.org>chris.schmidt at owasp.org>
> Cc: ESAPI Devs < <esapi-dev at lists.owasp.org>esapi-dev at lists.owasp.org>,
> " <Esapi-user at lists.owasp.org>Esapi-user at lists.owasp.org" <<Esapi-user at lists.owasp.org>
Esapi-user at lists.owasp.org>
> Message-ID:
> < <CAOPE6PhgP5NnFLxA2nBKKCG5P39N4vuTU0+U1U3SmbcC_eY2kA at mail.gmail.com>
CAOPE6PhgP5NnFLxA2nBKKCG5P39N4vuTU0+U1U3SmbcC_eY2kA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Mon, Jul 25, 2011 at 4:44 AM, Chris Schmidt < <chris.schmidt at owasp.org>
chris.schmidt at owasp.org>
> wrote:
> > Due to popular demand ESAPI 2.0.1 has been released with some minor (but
> > important) bug fixes. The changelist is below.
> > [snip]
> > Change log from 2.0.GA < <http://2.0.ga/>http://2.0.ga/> to 2.0.1
> >
> > 2011-07-25 00:01:38 chrisisbeef /trunk/pom.xml v 1858
> >
> > Removed version from project name... Fixes Issue #235
> > 2011-07-24 23:56:06 chrisisbeef
> > /trunk/configuration/esapi/
> ESAPI.properties v 1857
> > /trunk/src/test/java/org/owasp/esapi/reference/ValidatorTest.java v 1857
> >
> > Resolves issue #46 - allow context path to have leading slash or be
empty
> > 2011-07-23 14:36:17 chrisisbeef
> >
>
/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
> > v 1856
> >
> > Get rid of really irritating stacktrace everytime esapi loads.
> >
> > fixes issue #220
> > 2011-07-23 14:25:45 chrisisbeef
> > /trunk/src/main/java/org/owasp/esapi/reference/DefaultValidator.java v
> 1855
> >
> > Resolve issue 232 Validation Type Error
> > 2011-07-23 14:17:34 chrisisbeef
> > /trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java v
1854
> >
> > Fix issue 231 inverted logic error with canonicalization.
>
> Chris,
>
> Well, let me be amongst the first to publically congratulate you for
pushing
> out these fixes, and especially issue #46, which I pretty much dropped the
> ball on.
>
> Thanks for your hard work. The whole ESAPI community owes you a beer!
> Great job.
>
> -kevin
> --
> Blog: <http://off-the-wall-security.blogspot.com/><http://off-the-wall-security.blogspot.com/>
http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." -- Nathaniel Borenstein
>
> Dave Wolf
>
> "There is no passion to be found playing small - in settling for a life
that
> is less than the one you are capable of living." --Nelson Mandela
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
<https://lists.owasp.org/pipermail/esapi-user/attachments/20110726/f6fa9b61/attachment-0001.html>
https://lists.owasp.org/pipermail/esapi-user/attachments/20110726/f6fa9b61/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 27 Jul 2011 10:23:39 +1000
> From: Christian Heinrich < <christian.heinrich at owasp.org>
christian.heinrich at owasp.org>
> Subject: [Esapi-user] Fwd: .NET and Java WAF
> To: Global Projects Committee
> < <global-projects-committee at lists.owasp.org>
global-projects-committee at lists.owasp.org>
> Cc: ESAPI-Developers < <esapi-dev at lists.owasp.org>
esapi-dev at lists.owasp.org>, ESAPI-Users
> < <Esapi-user at lists.owasp.org>Esapi-user at lists.owasp.org>
> Message-ID:
> < <CAFCvB5JThsd3g2AKP9kthkHKcywgj7dbK4r9JaMtqtVd3WEmZA at mail.gmail.com>
CAFCvB5JThsd3g2AKP9kthkHKcywgj7dbK4r9JaMtqtVd3WEmZA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> GPC,
>
> Please consider this notice that "we" intend to escalate for
> recognition as an OWASP Project by the GPC shortly after BlackHat and
> DefCon.
>
> Hence I have CC ESAPI Mailing List for discussion in the interim until
> the @ <http://owasp.org>owasp.org Mailing Lists are created.
>
> Juan, Ryan, Jason and Jason have been BCC.
>
> ---------- Forwarded message ----------
> From: Christian Heinrich < <christian.heinrich at owasp.org>
christian.heinrich at owasp.org>
> Date: Tue, Jul 26, 2011 at 8:33 AM
> Subject: Re: [Esapi-user] WAF 2.0? alpha on repository
> To: "Calderon, Juan Carlos (GE, Corporate, consultant)" <<juan.calderon at ge.com>
juan.calderon at ge.com>
> Cc: Jim Manico < <jim.manico at owasp.org>jim.manico at owasp.org>, Ryan Barnett
< <ryan.barnett at owasp.org>ryan.barnett at owasp.org>
>
>
> Juan,
>
> On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> consultant) < <juan.calderon at ge.com>juan.calderon at ge.com> wrote:
> > What do you mean closing this off? Having it ready or defining is an
> > OWASP project?
>
> I was referring too having it listed as an OWASP Project, such as an
> associated mailing list, etc.
>
> On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> consultant) < <juan.calderon at ge.com>juan.calderon at ge.com> wrote:
> > Just as a small update, Aldo Salas a certified Java developer is helping
> > me out to finish this project, we have a progress meeting this Thursday,
> > also I sent a paper proposal to OWASP LATAM to present a course on
> > Mod_security for Java this October (that is it should be well tested and
> > finished by then) :)
>
> I can note this milestone in the Project Plan - I will list it for
> November to account for the unlikely event that the deadline slips or
> to demonstrate that we ship it earlier then expected :)
>
>
> --
> Regards,
> Christian Heinrich
> <http://www.owasp.org/index.php/user:cmlh><http://www.owasp.org/index.php/user:cmlh>
http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 26 Jul 2011 19:25:14 -0500
> From: Jim Manico < <jim.manico at owasp.org>jim.manico at owasp.org>
> Subject: Re: [Esapi-user] .NET and Java WAF
> To: Christian Heinrich < <christian.heinrich at owasp.org>
christian.heinrich at owasp.org>
> Cc: ESAPI-Developers < <esapi-dev at lists.owasp.org>
esapi-dev at lists.owasp.org>, ESAPI-Users
> < <Esapi-user at lists.owasp.org>Esapi-user at lists.owasp.org>, Global Projects
Committee
> < <global-projects-committee at lists.owasp.org>
global-projects-committee at lists.owasp.org>
> Message-ID: <-2981349937657456396 at unknownmsgid>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I totally support splitting the ESAPI WAF into a brand new project. Go
> for it - and great work!
>
> - Jim Manico
>
> On Jul 26, 2011, at 7:23 PM, Christian Heinrich
> < <christian.heinrich at owasp.org>christian.heinrich at owasp.org> wrote:
>
> > GPC,
> >
> > Please consider this notice that "we" intend to escalate for
> > recognition as an OWASP Project by the GPC shortly after BlackHat and
> > DefCon.
> >
> > Hence I have CC ESAPI Mailing List for discussion in the interim until
> > the @ <http://owasp.org>owasp.org Mailing Lists are created.
> >
> > Juan, Ryan, Jason and Jason have been BCC.
> >
> > ---------- Forwarded message ----------
> > From: Christian Heinrich < <christian.heinrich at owasp.org>
christian.heinrich at owasp.org>
> > Date: Tue, Jul 26, 2011 at 8:33 AM
> > Subject: Re: [Esapi-user] WAF 2.0? alpha on repository
> > To: "Calderon, Juan Carlos (GE, Corporate, consultant)" <<juan.calderon at ge.com>
juan.calderon at ge.com>
> > Cc: Jim Manico < <jim.manico at owasp.org>jim.manico at owasp.org>, Ryan
Barnett < <ryan.barnett at owasp.org>ryan.barnett at owasp.org>
> >
> >
> > Juan,
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) < <juan.calderon at ge.com>juan.calderon at ge.com> wrote:
> >> What do you mean closing this off? Having it ready or defining is an
> >> OWASP project?
> >
> > I was referring too having it listed as an OWASP Project, such as an
> > associated mailing list, etc.
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) < <juan.calderon at ge.com>juan.calderon at ge.com> wrote:
> >> Just as a small update, Aldo Salas a certified Java developer is
helping
> >> me out to finish this project, we have a progress meeting this
Thursday,
> >> also I sent a paper proposal to OWASP LATAM to present a course on
> >> Mod_security for Java this October (that is it should be well tested
and
> >> finished by then) :)
> >
> > I can note this milestone in the Project Plan - I will list it for
> > November to account for the unlikely event that the deadline slips or
> > to demonstrate that we ship it earlier then expected :)
> >
> >
> > --
> > Regards,
> > Christian Heinrich
> > <http://www.owasp.org/index.php/user:cmlh><http://www.owasp.org/index.php/user:cmlh>
http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 26 Jul 2011 21:39:10 -0400
> From: "Kevin W. Wall" < <kevin.w.wall at gmail.com>kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] [Esapi-dev] .NET and Java WAF
> To: Jim Manico < <jim.manico at owasp.org>jim.manico at owasp.org>
> Cc: ESAPI-Developers < <esapi-dev at lists.owasp.org>
esapi-dev at lists.owasp.org>, ESAPI-Users
> < <Esapi-user at lists.owasp.org>Esapi-user at lists.owasp.org>, Global Projects
Committee
> < <global-projects-committee at lists.owasp.org>
global-projects-committee at lists.owasp.org>
> Message-ID:
> < <CAOPE6Ph85Po+9Qs6d96GzYg4=5j5sYXQOU7JFEpJgF+o8iX_dg at mail.gmail.com>
CAOPE6Ph85Po+9Qs6d96GzYg4=5j5sYXQOU7JFEpJgF+o8iX_dg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 26, 2011 at 8:25 PM, Jim Manico < <jim.manico at owasp.org>
jim.manico at owasp.org> wrote:
> > I totally support splitting the ESAPI WAF into a brand new project. Go
> > for it - and great work!
>
> Christian,
>
> I concur. However, please do keep us in the loop, especially if you make
> any changes that would affect out it is used in ESAPI. I think that we
would
> like to keep it as an option there and also be able to drop in your latest
> version.
>
> Thanks,
> -kevin
> --
> Blog: <http://off-the-wall-security.blogspot.com/><http://off-the-wall-security.blogspot.com/>
http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." ? ? ? ?-- Nathaniel Borenstein
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 26 Jul 2011 21:51:42 -0400
> From: Jason Li < <jason.li at owasp.org>jason.li at owasp.org>
> Subject: Re: [Esapi-user] [GPC] Fwd: .NET and Java WAF
> To: Christian Heinrich < <christian.heinrich at owasp.org>
christian.heinrich at owasp.org>
> Cc: ESAPI-Developers < <esapi-dev at lists.owasp.org>
esapi-dev at lists.owasp.org>, ESAPI-Users
> < <Esapi-user at lists.owasp.org>Esapi-user at lists.owasp.org>, Global Projects
Committee
> < <global-projects-committee at lists.owasp.org>
global-projects-committee at lists.owasp.org>
> Message-ID:
> < <CAPfGuxawWMudERxnbN+-LfKZQ1tMfhUVs69fs9ntWkjHOiNPjg at mail.gmail.com>
CAPfGuxawWMudERxnbN+-LfKZQ1tMfhUVs69fs9ntWkjHOiNPjg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Christian,
>
> There's no need to "escalate" for recognition.
>
> Any idea can always be submitted to the GPC and they will be processed
> by Paulo Coimbra like all other requests.
>
> I would encourage the group to read the wiki article on starting an
> OWASP project (<https://www.owasp.org/index.php/How_to_Start_an_OWASP_Project>
https://www.owasp.org/index.php/How_to_Start_an_OWASP_Project)
> and ensure that the group submits the necessary information.
>
> -Jason
>
> On Tue, Jul 26, 2011 at 8:23 PM, Christian Heinrich
> < <christian.heinrich at owasp.org>christian.heinrich at owasp.org> wrote:
> > GPC,
> >
> > Please consider this notice that "we" intend to escalate for
> > recognition as an OWASP Project by the GPC shortly after BlackHat and
> > DefCon.
> >
> > Hence I have CC ESAPI Mailing List for discussion in the interim until
> > the @ <http://owasp.org>owasp.org Mailing Lists are created.
> >
> > Juan, Ryan, Jason and Jason have been BCC.
> >
> > ---------- Forwarded message ----------
> > From: Christian Heinrich < <christian.heinrich at owasp.org>
christian.heinrich at owasp.org>
> > Date: Tue, Jul 26, 2011 at 8:33 AM
> > Subject: Re: [Esapi-user] WAF 2.0? alpha on repository
> > To: "Calderon, Juan Carlos (GE, Corporate, consultant)" <<juan.calderon at ge.com>
juan.calderon at ge.com>
> > Cc: Jim Manico < <jim.manico at owasp.org>jim.manico at owasp.org>, Ryan
Barnett < <ryan.barnett at owasp.org>ryan.barnett at owasp.org>
> >
> >
> > Juan,
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) < <juan.calderon at ge.com>juan.calderon at ge.com> wrote:
> >> What do you mean closing this off? Having it ready or defining is an
> >> OWASP project?
> >
> > I was referring too having it listed as an OWASP Project, such as an
> > associated mailing list, etc.
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) < <juan.calderon at ge.com>juan.calderon at ge.com> wrote:
> >> Just as a small update, Aldo Salas a certified Java developer is
helping
> >> me out to finish this project, we have a progress meeting this
Thursday,
> >> also I sent a paper proposal to OWASP LATAM to present a course on
> >> Mod_security for Java this October (that is it should be well tested
and
> >> finished by then) :)
> >
> > I can note this milestone in the Project Plan - I will list it for
> > November to account for the unlikely event that the deadline slips or
> > to demonstrate that we ship it earlier then expected :)
> >
> >
> > --
> > Regards,
> > Christian Heinrich
> > <http://www.owasp.org/index.php/user:cmlh><http://www.owasp.org/index.php/user:cmlh>
http://www.owasp.org/index.php/user:cmlh
> > _______________________________________________
> > Global-projects-committee mailing list
> > <Global-projects-committee at lists.owasp.org><Global-projects-committee at lists.owasp.org>
Global-projects-committee at lists.owasp.org
> > <https://lists.owasp.org/mailman/listinfo/global-projects-committee><https://lists.owasp.org/mailman/listinfo/global-projects-committee>
https://lists.owasp.org/mailman/listinfo/global-projects-committee
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 26 Jul 2011 19:48:57 -0700 (PDT)
> From: "Normando Macaraeg" < <nmacaraeg at jaspersoft.com>
nmacaraeg at jaspersoft.com>
> Subject: [Esapi-user] using SafeRequest
> To: < <esapi-user at lists.owasp.org>esapi-user at lists.owasp.org>
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> Using the ESAPI Book as my guide, it looks like when I find code that
> looks like:
>
> HttpSession session = request.getSession(); // unsafe session
>
> I should change the code to this:
>
> HttpSession session = new SafeRequest( request ).getSession(); // safe
> session
>
> But the book says this works only if I enable the ESAPIFilter. How do I
> enable the ESAPIFilter?
>
> -Norm
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 26 Jul 2011 23:32:01 -0400
> From: "Kevin W. Wall" < <kevin.w.wall at gmail.com>kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] using SafeRequest
> To: Normando Macaraeg < <nmacaraeg at jaspersoft.com>nmacaraeg at jaspersoft.com
>
> Cc: <esapi-user at lists.owasp.org> <esapi-user at lists.owasp.org>
esapi-user at lists.owasp.org
> Message-ID:
> < <CAOPE6Pj3joRXWCo8bJY+BJPDy9Z_om-AZDkokumJEiSFganNPQ at mail.gmail.com>
CAOPE6Pj3joRXWCo8bJY+BJPDy9Z_om-AZDkokumJEiSFganNPQ at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 26, 2011 at 10:48 PM, Normando Macaraeg
> < <nmacaraeg at jaspersoft.com>nmacaraeg at jaspersoft.com> wrote:
> > Hi,
> >
> > Using the ESAPI Book as my guide, it looks like when I find code that
> > looks like:
> >
> > HttpSession session = request.getSession(); // unsafe session
> >
> > I should change the code to this:
> >
> > HttpSession session = new SafeRequest( request ).getSession(); // safe
> > session
> >
> > But the book says this works only if I enable the ESAPIFilter. How do I
> > enable the ESAPIFilter?
>
> You configure it just like any other Java Servlet filter.
> In your WEB-INF/web.xml file, you would do something like
> this:
>
> <web-app id="myWebApp">
> ...
> <filter>
> <filter-name>ESAPI-Filter</filter-name>
> <filter-class>org.owasp.esapi.filters.ESAPIFilter</filter-class>
> <!-- Note: Not sure it has any parameters. Check the
> sourc code or ask Jeff Williams. I don't have time
> right now. However, this is how you specify
> parameters. You can have more than one init-param
> section. -->
> <init-param>
> <param-name>greetings</param-name>
> <param-value>Hello, World</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>ESAPI-Filter</filter-name>
> <url-pattern>/images/*</url-pattern>
> </filter-mapping>
> </filter>
> ...
> </web-app>
>
> The exact syntax may be slightly different depending on what
> Servlet Spec your JavaEE / servlet container adheres to. Shown
> above is for Servlet Spec 2.4.
>
> -kevin
> --
> Blog: <http://off-the-wall-security.blogspot.com/><http://off-the-wall-security.blogspot.com/>
http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." -- Nathaniel Borenstein
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 27 Jul 2011 16:54:00 +1000
> From: Christian Heinrich < <christian.heinrich at owasp.org>
christian.heinrich at owasp.org>
> Subject: Re: [Esapi-user] [Esapi-dev] .NET and Java WAF
> To: "Kevin W. Wall" < <kevin.w.wall at gmail.com>kevin.w.wall at gmail.com>
> Cc: ESAPI-Developers < <esapi-dev at lists.owasp.org>
esapi-dev at lists.owasp.org>, ESAPI-Users
> < <Esapi-user at lists.owasp.org>Esapi-user at lists.owasp.org>
> Message-ID:
> < <CAFCvB5Lq+GHVgySp+Z0do4x0w4RdN1YF1wy5Bbk4PrXLeQcK6A at mail.gmail.com>
CAFCvB5Lq+GHVgySp+Z0do4x0w4RdN1YF1wy5Bbk4PrXLeQcK6A at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Kevin,
>
> I have dropped the GPC for the moment from this discussion.
>
> On Wed, Jul 27, 2011 at 11:39 AM, Kevin W. Wall < <kevin.w.wall at gmail.com>
kevin.w.wall at gmail.com> wrote:
> > I concur. However, please do keep us in the loop, especially if you make
> > any changes that would affect out it is used in ESAPI. I think that we
would
> > like to keep it as an option there and also be able to drop in your
latest
> > version.
>
> I can create a dependency in the Project Plan for this and a SVN tag
> for the attention of EASPI Java.
>
> For your reference, Juan's import from ESAPI Java was
> <http://code.google.com/p/owasp-java-waf/source/detail?r=2><http://code.google.com/p/owasp-java-waf/source/detail?r=2>
http://code.google.com/p/owasp-java-waf/source/detail?r=2
>
>
> --
> Regards,
> Christian Heinrich
> <http://www.owasp.org/index.php/user:cmlh><http://www.owasp.org/index.php/user:cmlh>
http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> _______________________________________________
> Esapi-user mailing list
> <Esapi-user at lists.owasp.org> <Esapi-user at lists.owasp.org>
Esapi-user at lists.owasp.org
> <https://lists.owasp.org/mailman/listinfo/esapi-user><https://lists.owasp.org/mailman/listinfo/esapi-user>
https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
> End of Esapi-user Digest, Vol 20, Issue 12
> ******************************************

_______________________________________________
Esapi-user mailing list
<Esapi-user at lists.owasp.org>Esapi-user at lists.owasp.org
 <https://lists.owasp.org/mailman/listinfo/esapi-user>
https://lists.owasp.org/mailman/listinfo/esapi-user

_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110727/ba6c866f/attachment.html 


More information about the Esapi-user mailing list