[Esapi-user] Help Regarding ESAPI

Kevin W. Wall kevin.w.wall at gmail.com
Tue Jun 14 08:23:28 EDT 2011


On Tue, Jun 14, 2011 at 6:03 AM, ashish kumar gautam <
gautamashishkumar at gmail.com> wrote:

> Dear Sir
>
> I am using ESAPI for validating file name, file size and file content.
> I am able to validate the file name and size
> I am not able to validate file content.
>
> isValidFileContent() method does not validate a content of the file, it
> validates the size of a file. Whereas i want to validate the content of
> file i.e. I want to fix the content of the file.
>

When you write that you want to "validate the *content *of a file", what
exactly do you mean?
Do you mean something like being able to distinguish (say) a text file from
a Java jar from
an a.out executable from a Microsoft Word document and to also make this
judgement
by the actual bytes representing the file (versus the naive attempt of
making that
judgement based on a file suffix)? If so, isValidFileContent() is definitely
not intended
to do anything like that and IIRC, ESAPI doesn't have anything that goes
that deep.
To do an analysis that goes beyond file suffix would require implementing
something
like *nix's file(1) command and it's associated magic(5) file. And while I
could see
how each of these might be useful (for instance, you may want to ensure that
someone
can only upload certain image formats), even the techniques used by file and
/etc/magic
are not fool-proof. In particular, these things were never meant to be file
format
checkers that could be used in a security context as an adversary can
generally find
ways around them.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110614/449b78a6/attachment.html 


More information about the Esapi-user mailing list