[OWASP-ESAPI] ESAPI 1.4 released!
Andrew van der Stock
vanderaj at owasp.org
Fri Nov 14 13:47:11 EST 2008
We've got a problem with symlinks (heavily used in MacOS X) where
simple things like /tmp and /etc are not really directories, and thus
fail the canonicalization test. There are two alternatives,
1. Declare this as "dark as the new standard for light" - i.e. gloss
over the problem. State outright in the reference implementation that
symlinks are explicitly not coped with as a destination, and thus will
fail, so only create your uploads type directory in a non-symlinked
2. Figure out how we can accept some symlinks and not others. I think
this is just going to unnecessarily complicate the reference
implementation, and we shouldn't do it.
This issue demonstrates why webappsec is so hard - there's no one true
answer. I personally lean towards (1) on the basis that the code and
assumptions are simpler, and more to the point, we never have false
Double Encoding is an issue on all platforms. The problem is that if
we use all the possible codecs to make things safe, it's actually hard
to leave valid constructs. To not perform some of those transforms
leaves us at risk. Personally, I think we should run only those codecs
which are necessary to produce a valid filename for that platform, and
then run the resulting filename through a list of potential codecs
that should not fail in test only mode. This gives a level of
confidence that the filename is okay (which is important for storage
reasons), but still doesn't say much about if the filename is safe to
be in a HTTP header. That should be the job of an output encoder, not
Test normalize fails on Leopard. I've seen this and have nearly worked
out why it occurs, but I believe it's similar in nature to the
testLoad() should only fail on the second time around due to the lack
of a tearDown() cleaning up the tests in the test resources directory.
Try cleaning the testresources directory out, and you'll see that
On Nov 14, 2008, at 11:45 AM, Andrea Cogliati wrote:
> I've tried to build ESAPI 1.4 on both Mac OS X Leopard and Vista.
> I've got some failures in tests:
> - testIsValidFileUpload fails on Leopard (expected, see comment in
> source code)
> - testDoubleEncodingCanonicalization fails on both platforms
> - testNormalize fails on Leopard
> - testDoubleEncodingCanonicalization fails on Vista
> - testLoad fails with an uncaught exception on both platforms
> On Nov 3, 2008, at 5:03 PM, Kevin Fealey wrote:
>> ESAPI 1.4 has been released! The links to earlier versions of the
>> ESAPI have been deprecated on Google Code. They are still
>> accessible, but will not display by default. Here are some of the
>> changes in 1.4:
>> • Updated Javadocs for interfaces to describe what reference
>> implementations should accomplish.
>> • Fixed tags in Javadocs so parameter names, etc. should be correct.
>> • Removed all references to interfaces that no longer exist.
>> • Added Multi-platform support for ESAPI test cases. They have
>> been tested for compatibility with MacOS X, Linux, Solaris, and
>> Windows Vista.
>> • Added session tracking to User to track multiple sessions.
>> • Updated Logger to read logging level out of ESAPI.properties.
>> • Edited Logger to output to a file specified in the security
>> • Enhanced log output format.
>> • Added methods to FileBasedAccessController to view data as
>> objects, rather than Strings.
>> Our goal for this release was to enhance functionality and
>> usability, ie. make it easier for developers to use the API. We
>> feel that by clarifying many topics in the Javadocs, it should be
>> much easier to get started with ESAPI.
>> We've seen a solid response from people starting to use the ESAPI,
>> and we're getting a lot of questions about how some things work.
>> I'm going to try to add new content to the Wiki weekly to address
>> most of the questions, so please check back here regularly.
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10
More information about the OWASP-ESAPI