[Esapi-user] Help Regarding ESAPI

Jeremy Long jeremy.long at owasp.org
Tue Jun 14 11:26:12 EDT 2011


One option to consider for inspecting the contents of a file would be Apache
Tika: http://tika.apache.org/.

--Jeremy

On Tue, Jun 14, 2011 at 8:23 AM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:

>
>
> On Tue, Jun 14, 2011 at 6:03 AM, ashish kumar gautam <
> gautamashishkumar at gmail.com> wrote:
>
>> Dear Sir
>>
>> I am using ESAPI for validating file name, file size and file content.
>> I am able to validate the file name and size
>> I am not able to validate file content.
>>
>> isValidFileContent() method does not validate a content of the file, it
>> validates the size of a file. Whereas i want to validate the content of
>> file i.e. I want to fix the content of the file.
>>
>
> When you write that you want to "validate the *content *of a file", what
> exactly do you mean?
> Do you mean something like being able to distinguish (say) a text file from
> a Java jar from
> an a.out executable from a Microsoft Word document and to also make this
> judgement
> by the actual bytes representing the file (versus the naive attempt of
> making that
> judgement based on a file suffix)? If so, isValidFileContent() is
> definitely not intended
> to do anything like that and IIRC, ESAPI doesn't have anything that goes
> that deep.
> To do an analysis that goes beyond file suffix would require implementing
> something
> like *nix's file(1) command and it's associated magic(5) file. And while I
> could see
> how each of these might be useful (for instance, you may want to ensure
> that someone
> can only upload certain image formats), even the techniques used by file
> and /etc/magic
> are not fool-proof. In particular, these things were never meant to be file
> format
> checkers that could be used in a security context as an adversary can
> generally find
> ways around them.
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents."        -- Nathaniel Borenstein
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110614/13c1660d/attachment.html 


More information about the Esapi-user mailing list