[Esapi-user] Esapi-user Digest, Vol 20, Issue 12

Jeff Williams jeff.williams at aspectsecurity.com
Thu Jul 28 09:09:56 EDT 2011


Jeff - Your encoder work is good. But I hope that we can agree that
Parameterization and Binding is the best approach to provide
high-assurance from SQL injection. Manual escaping is last resort that
does not provide high-assurance defense from SQL injection.

 

Totally agree.  I'm trying to point out that the ESAPI codecs are not
just for preventing injection.  The codecs support
canonicalization/validation/intrusion detection as well. 

 

--Jeff

 

 

From: Jim Manico [mailto:jim.manico at owasp.org] 
Sent: Thursday, July 28, 2011 1:26 AM
To: Jeff Williams
Cc: Rama Krishna Pathangi; ESAPI User Group
Subject: Re: [Esapi-user] Esapi-user Digest, Vol 20, Issue 12

 

Jeff,

 

If you dig into latest versions of Oracle JDBC drivers (which you can
decompile with Jad) you will find that the parameterization is a LOT
more complex than simple encoding. The driver needs to dynamically
understand the context before applying encoding or other defensive
logic.





Also, straight SQL gets to be very long fast and there are situations
where your query string is so long that it exceeded query size limits
for straight SQL. Parameterization gives you a lot more room to breathe.
Edge case but real.





Parameterization also provides significant performance enhancements and
caching when you have a lot of duplicate queries running.  Edge cases
where parameterization hurts performance has been fixed in recent
versions of Oracle.





Jeff - Your encoder work is good. But I hope that we can agree that
Parameterization and Binding is the best approach to provide
high-assurance from SQL injection. Manual escaping is last resort that
does not provide high-assurance defense from SQL injection.





Fair comments?


- Jim Manico


On Jul 27, 2011, at 10:30 PM, "Jeff Williams"
<jeff.williams at aspectsecurity.com> wrote:

	Codecs aren't a last resort for canonicalization and input
validation, which is required for attack detection like what is done in
AppSensor.  More fundamentally, I think these codecs are exactly the
type of fundamental building blocks that are required before we (as an
industry) can move past injection and get to harder problems.  I say we
just build these out, get them right, and move on.

	 

	As far as I know, there's nothing that prevents a codec from
supporting a changeable escape syntax.  We sort of support that with the
two modes in the MySQLCodec.

	 

	--Jeff

	 

	 

	From: Jim Manico [mailto:jim.manico at owasp.org] 
	Sent: Wednesday, July 27, 2011 6:35 PM
	To: Jeff Williams
	Cc: Rama Krishna Pathangi; ESAPI User Group
	Subject: Re: [Esapi-user] Esapi-user Digest, Vol 20, Issue 12

	 

	Jeff,

	 

	I agree these encoders belong in ESAPI but only as a last
resort.

	 

	Case and point: You can change Oracles escape character
dynamically and the JDBC driver would pick that up, but a hard coded
escape function would not, leaving you injectable.

	 

	But still Jeff, as a last resort or as a stopgap measure, I
agree.

	
	- Jim Manico

	
	On Jul 27, 2011, at 5:27 PM, "Jeff Williams"
<jeff.williams at aspectsecurity.com> wrote:

		Perhaps he is interested in canonicalization?  There are
plenty of good reasons to have a SQLServer codec in ESAPI.

		 

		There were some discussions around this a while back,
and maybe even an implementation.  Would you be interested in helping
put this together? 
		
		--Jeff

		 

		 

		
		On Jul 27, 2011, at 5:22 PM, "Jim Manico"
<jim.manico at owasp.org> wrote:

			Rama,

			 

			This is a deeply fragile way to stop XSS. Can
you just use parameterized queries with data binding? We heavily
recommend this as the best way to stop SQL injection.
			
			- Jim Manico

			
			On Jul 27, 2011, at 12:48 PM, Rama Krishna
Pathangi <rpathangi at hotmail.com> wrote:

				Hello,
				 
				We are currently using ESAPI 2.0 GA.
				In line with the following, I was
wondering if we can have a codec for SQLServer in your future release.
				SAPI.encoder().encodeForSQL( new
OracleCodec(), dirtyString );
				SAPI.encoder().encodeForSQL( new
DB2Codec(), dirtyString );
				
				--
				Rama Krishna Rao Pathangi
				[c] 1 503 962 9480
				[f]  1 801 409 7951
				
				 

				> From:
esapi-user-request at lists.owasp.org
				> Subject: Esapi-user Digest, Vol 20,
Issue 12
				> To: esapi-user at lists.owasp.org
				> Date: Wed, 27 Jul 2011 12:00:05 -0400
				> 
				> Send Esapi-user mailing list
submissions to
				> esapi-user at lists.owasp.org
				> 
				> To subscribe or unsubscribe via the
World Wide Web, visit
				>
https://lists.owasp.org/mailman/listinfo/esapi-user
				> or, via email, send a message with
subject or body 'help' to
				> esapi-user-request at lists.owasp.org
				> 
				> You can reach the person managing the
list at
				> esapi-user-owner at lists.owasp.org
				> 
				> When replying, please edit your
Subject line so it is more specific
				> than "Re: Contents of Esapi-user
digest..."
				> 
				> 
				> Today's Topics:
				> 
				> 1. Re: [Esapi-dev] ESAPI 2.0.1
Released (Dave Wolf)
				> 2. Fwd: .NET and Java WAF (Christian
Heinrich)
				> 3. Re: .NET and Java WAF (Jim Manico)
				> 4. Re: [Esapi-dev] .NET and Java WAF
(Kevin W. Wall)
				> 5. Re: [GPC] Fwd: .NET and Java WAF
(Jason Li)
				> 6. using SafeRequest (Normando
Macaraeg)
				> 7. Re: using SafeRequest (Kevin W.
Wall)
				> 8. Re: [Esapi-dev] .NET and Java WAF
(Christian Heinrich)
				> 
				> 
				>
----------------------------------------------------------------------
				> 
				> Message: 1
				> Date: Tue, 26 Jul 2011 17:14:12 +0000
				> From: Dave Wolf <dave.wolf at gmail.com>
				> Subject: Re: [Esapi-user] [Esapi-dev]
ESAPI 2.0.1 Released
				> To: ESAPI Dev List
<esapi-dev at lists.owasp.org>,
				> "Esapi-user at lists.owasp.org"
<Esapi-user at lists.owasp.org>
				> Message-ID:
				>
<CAF1Q6Q3EHDgAwCheTt6e9E3HmZd+smu3eVSkEj8dqpHV1nRpyA at mail.gmail.com>
				> Content-Type: text/plain;
charset="utf-8"
				> 
				> Hi,
				> 
				> FYI, I'm not finding 2.0.1 on Maven
Central. The most current release that
				> shows up is 2.0GA. I'm searching
using:
				> g:"org.owasp.esapi" AND a:"esapi" AND
v:"2.0.1"
				> 
				> Any ideas what is going on?
				> 
				> Thanks,
				> 
				> Dave Wolf
				> 
				> Date: Mon, 25 Jul 2011 08:01:35 -0400
				> From: "Kevin W. Wall"
<kevin.w.wall at gmail.com>
				> Subject: Re: [Esapi-dev] ESAPI 2.0.1
Released
				> To: Chris Schmidt
<chris.schmidt at owasp.org>
				> Cc: ESAPI Devs
<esapi-dev at lists.owasp.org>,
				> "Esapi-user at lists.owasp.org"
<Esapi-user at lists.owasp.org>
				> Message-ID:
				>
<CAOPE6PhgP5NnFLxA2nBKKCG5P39N4vuTU0+U1U3SmbcC_eY2kA at mail.gmail.com>
				> Content-Type: text/plain;
charset=ISO-8859-1
				> 
				> On Mon, Jul 25, 2011 at 4:44 AM, Chris
Schmidt <chris.schmidt at owasp.org>
				> wrote:
				> > Due to popular demand ESAPI 2.0.1
has been released with some minor (but
				> > important) bug fixes. The changelist
is below.
				> > [snip]
				> > Change log from 2.0.GA
<http://2.0.ga/> to 2.0.1
				> >
				> > 2011-07-25 00:01:38 chrisisbeef
/trunk/pom.xml v 1858
				> >
				> > Removed version from project name...
Fixes Issue #235
				> > 2011-07-24 23:56:06 chrisisbeef
				> > /trunk/configuration/esapi/
				> ESAPI.properties v 1857
				> >
/trunk/src/test/java/org/owasp/esapi/reference/ValidatorTest.java v 1857
				> >
				> > Resolves issue #46 - allow context
path to have leading slash or be empty
				> > 2011-07-23 14:36:17 chrisisbeef
				> >
				>
/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfigurat
ion.java
				> > v 1856
				> >
				> > Get rid of really irritating
stacktrace everytime esapi loads.
				> >
				> > fixes issue #220
				> > 2011-07-23 14:25:45 chrisisbeef
				> >
/trunk/src/main/java/org/owasp/esapi/reference/DefaultValidator.java v
				> 1855
				> >
				> > Resolve issue 232 Validation Type
Error
				> > 2011-07-23 14:17:34 chrisisbeef
				> >
/trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java v
1854
				> >
				> > Fix issue 231 inverted logic error
with canonicalization.
				> 
				> Chris,
				> 
				> Well, let me be amongst the first to
publically congratulate you for pushing
				> out these fixes, and especially issue
#46, which I pretty much dropped the
				> ball on.
				> 
				> Thanks for your hard work. The whole
ESAPI community owes you a beer!
				> Great job.
				> 
				> -kevin
				> --
				> Blog:
http://off-the-wall-security.blogspot.com/
				> "The most likely way for the world to
be destroyed, most experts agree,
				> is by accident. That's where we come
in; we're computer professionals.
				> We *cause* accidents." -- Nathaniel
Borenstein
				> 
				> Dave Wolf
				> 
				> "There is no passion to be found
playing small - in settling for a life that
				> is less than the one you are capable
of living." --Nelson Mandela
				> -------------- next part
--------------
				> An HTML attachment was scrubbed...
				> URL:
https://lists.owasp.org/pipermail/esapi-user/attachments/20110726/f6fa9b
61/attachment-0001.html 
				> 
				> ------------------------------
				> 
				> Message: 2
				> Date: Wed, 27 Jul 2011 10:23:39 +1000
				> From: Christian Heinrich
<christian.heinrich at owasp.org>
				> Subject: [Esapi-user] Fwd: .NET and
Java WAF
				> To: Global Projects Committee
				>
<global-projects-committee at lists.owasp.org>
				> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
				> <Esapi-user at lists.owasp.org>
				> Message-ID:
				>
<CAFCvB5JThsd3g2AKP9kthkHKcywgj7dbK4r9JaMtqtVd3WEmZA at mail.gmail.com>
				> Content-Type: text/plain;
charset=ISO-8859-1
				> 
				> GPC,
				> 
				> Please consider this notice that "we"
intend to escalate for
				> recognition as an OWASP Project by the
GPC shortly after BlackHat and
				> DefCon.
				> 
				> Hence I have CC ESAPI Mailing List for
discussion in the interim until
				> the @owasp.org Mailing Lists are
created.
				> 
				> Juan, Ryan, Jason and Jason have been
BCC.
				> 
				> ---------- Forwarded message
----------
				> From: Christian Heinrich
<christian.heinrich at owasp.org>
				> Date: Tue, Jul 26, 2011 at 8:33 AM
				> Subject: Re: [Esapi-user] WAF 2.0?
alpha on repository
				> To: "Calderon, Juan Carlos (GE,
Corporate, consultant)" <juan.calderon at ge.com>
				> Cc: Jim Manico <jim.manico at owasp.org>,
Ryan Barnett <ryan.barnett at owasp.org>
				> 
				> 
				> Juan,
				> 
				> On Tue, Jul 26, 2011 at 6:02 AM,
Calderon, Juan Carlos (GE, Corporate,
				> consultant) <juan.calderon at ge.com>
wrote:
				> > What do you mean closing this off?
Having it ready or defining is an
				> > OWASP project?
				> 
				> I was referring too having it listed
as an OWASP Project, such as an
				> associated mailing list, etc.
				> 
				> On Tue, Jul 26, 2011 at 6:02 AM,
Calderon, Juan Carlos (GE, Corporate,
				> consultant) <juan.calderon at ge.com>
wrote:
				> > Just as a small update, Aldo Salas a
certified Java developer is helping
				> > me out to finish this project, we
have a progress meeting this Thursday,
				> > also I sent a paper proposal to
OWASP LATAM to present a course on
				> > Mod_security for Java this October
(that is it should be well tested and
				> > finished by then) :)
				> 
				> I can note this milestone in the
Project Plan - I will list it for
				> November to account for the unlikely
event that the deadline slips or
				> to demonstrate that we ship it earlier
then expected :)
				> 
				> 
				> -- 
				> Regards,
				> Christian Heinrich
				>
http://www.owasp.org/index.php/user:cmlh
				> 
				> 
				> ------------------------------
				> 
				> Message: 3
				> Date: Tue, 26 Jul 2011 19:25:14 -0500
				> From: Jim Manico
<jim.manico at owasp.org>
				> Subject: Re: [Esapi-user] .NET and
Java WAF
				> To: Christian Heinrich
<christian.heinrich at owasp.org>
				> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
				> <Esapi-user at lists.owasp.org>, Global
Projects Committee
				>
<global-projects-committee at lists.owasp.org>
				> Message-ID:
<-2981349937657456396 at unknownmsgid>
				> Content-Type: text/plain;
charset=ISO-8859-1
				> 
				> I totally support splitting the ESAPI
WAF into a brand new project. Go
				> for it - and great work!
				> 
				> - Jim Manico
				> 
				> On Jul 26, 2011, at 7:23 PM, Christian
Heinrich
				> <christian.heinrich at owasp.org> wrote:
				> 
				> > GPC,
				> >
				> > Please consider this notice that
"we" intend to escalate for
				> > recognition as an OWASP Project by
the GPC shortly after BlackHat and
				> > DefCon.
				> >
				> > Hence I have CC ESAPI Mailing List
for discussion in the interim until
				> > the @owasp.org Mailing Lists are
created.
				> >
				> > Juan, Ryan, Jason and Jason have
been BCC.
				> >
				> > ---------- Forwarded message
----------
				> > From: Christian Heinrich
<christian.heinrich at owasp.org>
				> > Date: Tue, Jul 26, 2011 at 8:33 AM
				> > Subject: Re: [Esapi-user] WAF 2.0?
alpha on repository
				> > To: "Calderon, Juan Carlos (GE,
Corporate, consultant)" <juan.calderon at ge.com>
				> > Cc: Jim Manico
<jim.manico at owasp.org>, Ryan Barnett <ryan.barnett at owasp.org>
				> >
				> >
				> > Juan,
				> >
				> > On Tue, Jul 26, 2011 at 6:02 AM,
Calderon, Juan Carlos (GE, Corporate,
				> > consultant) <juan.calderon at ge.com>
wrote:
				> >> What do you mean closing this off?
Having it ready or defining is an
				> >> OWASP project?
				> >
				> > I was referring too having it listed
as an OWASP Project, such as an
				> > associated mailing list, etc.
				> >
				> > On Tue, Jul 26, 2011 at 6:02 AM,
Calderon, Juan Carlos (GE, Corporate,
				> > consultant) <juan.calderon at ge.com>
wrote:
				> >> Just as a small update, Aldo Salas
a certified Java developer is helping
				> >> me out to finish this project, we
have a progress meeting this Thursday,
				> >> also I sent a paper proposal to
OWASP LATAM to present a course on
				> >> Mod_security for Java this October
(that is it should be well tested and
				> >> finished by then) :)
				> >
				> > I can note this milestone in the
Project Plan - I will list it for
				> > November to account for the unlikely
event that the deadline slips or
				> > to demonstrate that we ship it
earlier then expected :)
				> >
				> >
				> > --
				> > Regards,
				> > Christian Heinrich
				> >
http://www.owasp.org/index.php/user:cmlh
				> 
				> 
				> ------------------------------
				> 
				> Message: 4
				> Date: Tue, 26 Jul 2011 21:39:10 -0400
				> From: "Kevin W. Wall"
<kevin.w.wall at gmail.com>
				> Subject: Re: [Esapi-user] [Esapi-dev]
.NET and Java WAF
				> To: Jim Manico <jim.manico at owasp.org>
				> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
				> <Esapi-user at lists.owasp.org>, Global
Projects Committee
				>
<global-projects-committee at lists.owasp.org>
				> Message-ID:
				>
<CAOPE6Ph85Po+9Qs6d96GzYg4=5j5sYXQOU7JFEpJgF+o8iX_dg at mail.gmail.com>
				> Content-Type: text/plain;
charset=ISO-8859-1
				> 
				> On Tue, Jul 26, 2011 at 8:25 PM, Jim
Manico <jim.manico at owasp.org> wrote:
				> > I totally support splitting the
ESAPI WAF into a brand new project. Go
				> > for it - and great work!
				> 
				> Christian,
				> 
				> I concur. However, please do keep us
in the loop, especially if you make
				> any changes that would affect out it
is used in ESAPI. I think that we would
				> like to keep it as an option there and
also be able to drop in your latest
				> version.
				> 
				> Thanks,
				> -kevin
				> -- 
				> Blog:
http://off-the-wall-security.blogspot.com/
				> "The most likely way for the world to
be destroyed, most experts agree,
				> is by accident. That's where we come
in; we're computer professionals.
				> We *cause* accidents." ? ? ? ?--
Nathaniel Borenstein
				> 
				> 
				> ------------------------------
				> 
				> Message: 5
				> Date: Tue, 26 Jul 2011 21:51:42 -0400
				> From: Jason Li <jason.li at owasp.org>
				> Subject: Re: [Esapi-user] [GPC] Fwd:
.NET and Java WAF
				> To: Christian Heinrich
<christian.heinrich at owasp.org>
				> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
				> <Esapi-user at lists.owasp.org>, Global
Projects Committee
				>
<global-projects-committee at lists.owasp.org>
				> Message-ID:
				>
<CAPfGuxawWMudERxnbN+-LfKZQ1tMfhUVs69fs9ntWkjHOiNPjg at mail.gmail.com>
				> Content-Type: text/plain;
charset=ISO-8859-1
				> 
				> Christian,
				> 
				> There's no need to "escalate" for
recognition.
				> 
				> Any idea can always be submitted to
the GPC and they will be processed
				> by Paulo Coimbra like all other
requests.
				> 
				> I would encourage the group to read
the wiki article on starting an
				> OWASP project
(https://www.owasp.org/index.php/How_to_Start_an_OWASP_Project)
				> and ensure that the group submits the
necessary information.
				> 
				> -Jason
				> 
				> On Tue, Jul 26, 2011 at 8:23 PM,
Christian Heinrich
				> <christian.heinrich at owasp.org> wrote:
				> > GPC,
				> >
				> > Please consider this notice that
"we" intend to escalate for
				> > recognition as an OWASP Project by
the GPC shortly after BlackHat and
				> > DefCon.
				> >
				> > Hence I have CC ESAPI Mailing List
for discussion in the interim until
				> > the @owasp.org Mailing Lists are
created.
				> >
				> > Juan, Ryan, Jason and Jason have
been BCC.
				> >
				> > ---------- Forwarded message
----------
				> > From: Christian Heinrich
<christian.heinrich at owasp.org>
				> > Date: Tue, Jul 26, 2011 at 8:33 AM
				> > Subject: Re: [Esapi-user] WAF 2.0?
alpha on repository
				> > To: "Calderon, Juan Carlos (GE,
Corporate, consultant)" <juan.calderon at ge.com>
				> > Cc: Jim Manico
<jim.manico at owasp.org>, Ryan Barnett <ryan.barnett at owasp.org>
				> >
				> >
				> > Juan,
				> >
				> > On Tue, Jul 26, 2011 at 6:02 AM,
Calderon, Juan Carlos (GE, Corporate,
				> > consultant) <juan.calderon at ge.com>
wrote:
				> >> What do you mean closing this off?
Having it ready or defining is an
				> >> OWASP project?
				> >
				> > I was referring too having it listed
as an OWASP Project, such as an
				> > associated mailing list, etc.
				> >
				> > On Tue, Jul 26, 2011 at 6:02 AM,
Calderon, Juan Carlos (GE, Corporate,
				> > consultant) <juan.calderon at ge.com>
wrote:
				> >> Just as a small update, Aldo Salas
a certified Java developer is helping
				> >> me out to finish this project, we
have a progress meeting this Thursday,
				> >> also I sent a paper proposal to
OWASP LATAM to present a course on
				> >> Mod_security for Java this October
(that is it should be well tested and
				> >> finished by then) :)
				> >
				> > I can note this milestone in the
Project Plan - I will list it for
				> > November to account for the unlikely
event that the deadline slips or
				> > to demonstrate that we ship it
earlier then expected :)
				> >
				> >
				> > --
				> > Regards,
				> > Christian Heinrich
				> >
http://www.owasp.org/index.php/user:cmlh
				> >
_______________________________________________
				> > Global-projects-committee mailing
list
				> >
Global-projects-committee at lists.owasp.org
				> >
https://lists.owasp.org/mailman/listinfo/global-projects-committee
				> >
				> 
				> 
				> ------------------------------
				> 
				> Message: 6
				> Date: Tue, 26 Jul 2011 19:48:57 -0700
(PDT)
				> From: "Normando Macaraeg"
<nmacaraeg at jaspersoft.com>
				> Subject: [Esapi-user] using
SafeRequest
				> To: <esapi-user at lists.owasp.org>
				> Message-ID:
<[email protected]>
				> Content-Type: text/plain;
charset="us-ascii"
				> 
				> Hi,
				> 
				> Using the ESAPI Book as my guide, it
looks like when I find code that
				> looks like: 
				> 
				> HttpSession session =
request.getSession(); // unsafe session
				> 
				> I should change the code to this:
				> 
				> HttpSession session = new SafeRequest(
request ).getSession(); // safe
				> session
				> 
				> But the book says this works only if I
enable the ESAPIFilter. How do I
				> enable the ESAPIFilter?
				> 
				> -Norm
				> 
				> 
				> ------------------------------
				> 
				> Message: 7
				> Date: Tue, 26 Jul 2011 23:32:01 -0400
				> From: "Kevin W. Wall"
<kevin.w.wall at gmail.com>
				> Subject: Re: [Esapi-user] using
SafeRequest
				> To: Normando Macaraeg
<nmacaraeg at jaspersoft.com>
				> Cc: esapi-user at lists.owasp.org
				> Message-ID:
				>
<CAOPE6Pj3joRXWCo8bJY+BJPDy9Z_om-AZDkokumJEiSFganNPQ at mail.gmail.com>
				> Content-Type: text/plain;
charset=ISO-8859-1
				> 
				> On Tue, Jul 26, 2011 at 10:48 PM,
Normando Macaraeg
				> <nmacaraeg at jaspersoft.com> wrote:
				> > Hi,
				> >
				> > Using the ESAPI Book as my guide, it
looks like when I find code that
				> > looks like:
				> >
				> > HttpSession session =
request.getSession(); // unsafe session
				> >
				> > I should change the code to this:
				> >
				> > HttpSession session = new
SafeRequest( request ).getSession(); // safe
				> > session
				> >
				> > But the book says this works only if
I enable the ESAPIFilter. How do I
				> > enable the ESAPIFilter?
				> 
				> You configure it just like any other
Java Servlet filter.
				> In your WEB-INF/web.xml file, you
would do something like
				> this:
				> 
				> <web-app id="myWebApp">
				> ...
				> <filter>
				>
<filter-name>ESAPI-Filter</filter-name>
				>
<filter-class>org.owasp.esapi.filters.ESAPIFilter</filter-class>
				> <!-- Note: Not sure it has any
parameters. Check the
				> sourc code or ask Jeff Williams. I
don't have time
				> right now. However, this is how you
specify
				> parameters. You can have more than one
init-param
				> section. -->
				> <init-param>
				> <param-name>greetings</param-name>
				> <param-value>Hello,
World</param-value>
				> </init-param>
				> </filter>
				> 
				> <filter-mapping>
				>
<filter-name>ESAPI-Filter</filter-name>
				> <url-pattern>/images/*</url-pattern>
				> </filter-mapping>
				> </filter>
				> ...
				> </web-app>
				> 
				> The exact syntax may be slightly
different depending on what
				> Servlet Spec your JavaEE / servlet
container adheres to. Shown
				> above is for Servlet Spec 2.4.
				> 
				> -kevin
				> --
				> Blog:
http://off-the-wall-security.blogspot.com/
				> "The most likely way for the world to
be destroyed, most experts agree,
				> is by accident. That's where we come
in; we're computer professionals.
				> We *cause* accidents." -- Nathaniel
Borenstein
				> 
				> 
				> ------------------------------
				> 
				> Message: 8
				> Date: Wed, 27 Jul 2011 16:54:00 +1000
				> From: Christian Heinrich
<christian.heinrich at owasp.org>
				> Subject: Re: [Esapi-user] [Esapi-dev]
.NET and Java WAF
				> To: "Kevin W. Wall"
<kevin.w.wall at gmail.com>
				> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
				> <Esapi-user at lists.owasp.org>
				> Message-ID:
				>
<CAFCvB5Lq+GHVgySp+Z0do4x0w4RdN1YF1wy5Bbk4PrXLeQcK6A at mail.gmail.com>
				> Content-Type: text/plain;
charset=ISO-8859-1
				> 
				> Kevin,
				> 
				> I have dropped the GPC for the moment
from this discussion.
				> 
				> On Wed, Jul 27, 2011 at 11:39 AM,
Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
				> > I concur. However, please do keep us
in the loop, especially if you make
				> > any changes that would affect out it
is used in ESAPI. I think that we would
				> > like to keep it as an option there
and also be able to drop in your latest
				> > version.
				> 
				> I can create a dependency in the
Project Plan for this and a SVN tag
				> for the attention of EASPI Java.
				> 
				> For your reference, Juan's import from
ESAPI Java was
				>
http://code.google.com/p/owasp-java-waf/source/detail?r=2
				> 
				> 
				> -- 
				> Regards,
				> Christian Heinrich
				>
http://www.owasp.org/index.php/user:cmlh
				> 
				> 
				> ------------------------------
				> 
				>
_______________________________________________
				> Esapi-user mailing list
				> Esapi-user at lists.owasp.org
				>
https://lists.owasp.org/mailman/listinfo/esapi-user
				> 
				> 
				> End of Esapi-user Digest, Vol 20,
Issue 12
				>
******************************************

	
_______________________________________________
				Esapi-user mailing list
				Esapi-user at lists.owasp.org
	
https://lists.owasp.org/mailman/listinfo/esapi-user

			_______________________________________________
			Esapi-user mailing list
			Esapi-user at lists.owasp.org
	
https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110728/9ec60d99/attachment-0001.html 


More information about the Esapi-user mailing list