[OWASP-ESAPI] ESAPI 1.4 released!

Andrew van der Stock vanderaj at owasp.org
Fri Nov 14 13:47:11 EST 2008


We've got a problem with symlinks (heavily used in MacOS X) where  
simple things like /tmp and /etc are not really directories, and thus  
fail the canonicalization test. There are two alternatives,

1. Declare this as "dark as the new standard for light" - i.e. gloss  
over the problem. State outright in the reference implementation that  
symlinks are explicitly not coped with as a destination, and thus will  
fail, so only create your uploads type directory in a non-symlinked  
area, or

2. Figure out how we can accept some symlinks and not others. I think  
this is just going to unnecessarily complicate the reference  
implementation, and we shouldn't do it.

This issue demonstrates why webappsec is so hard - there's no one true  
answer. I personally lean towards (1) on the basis that the code and  
assumptions are simpler, and more to the point, we never have false  

Double Encoding is an issue on all platforms. The problem is that if  
we use all the possible codecs to make things safe, it's actually hard  
to leave valid constructs. To not perform some of those transforms  
leaves us at risk. Personally, I think we should run only those codecs  
which are necessary to produce a valid filename for that platform, and  
then run the resulting filename through a list of potential codecs  
that should not fail in test only mode. This gives a level of  
confidence that the filename is okay (which is important for storage  
reasons), but still doesn't say much about if the filename is safe to  
be in a HTTP header. That should be the job of an output encoder, not  

Test normalize fails on Leopard. I've seen this and have nearly worked  
out why it occurs, but I believe it's similar in nature to the  
previous problem.

testLoad() should only fail on the second time around due to the lack  
of a tearDown() cleaning up the tests in the test resources directory.  
Try cleaning the testresources directory out, and you'll see that  


On Nov 14, 2008, at 11:45 AM, Andrea Cogliati wrote:

> Kevin,
> I've tried to build ESAPI 1.4 on both Mac OS X Leopard and Vista.  
> I've got some failures in tests:
> - testIsValidFileUpload fails on Leopard (expected, see comment in  
> source code)
> - testDoubleEncodingCanonicalization fails on both platforms
> - testNormalize fails on Leopard
> - testDoubleEncodingCanonicalization fails on Vista
> - testLoad fails with an uncaught exception on both platforms
> Andrea
> On Nov 3, 2008, at 5:03 PM, Kevin Fealey wrote:
>> ESAPI 1.4 has been released!  The links to earlier versions of the  
>> ESAPI have been deprecated on Google Code.  They are still  
>> accessible, but will not display by default.  Here are some of the  
>> changes in 1.4:
>> 	• Updated Javadocs for interfaces to describe what reference  
>> implementations should accomplish.
>> 	• Fixed tags in Javadocs so parameter names, etc. should be correct.
>> 	• Removed all references to interfaces that no longer exist.
>> 	• Added Multi-platform support for ESAPI test cases.  They have  
>> been tested for compatibility with MacOS X, Linux, Solaris, and  
>> Windows Vista.
>> 	• Updated Javascript codec to better follow the spec.
>> 	• Added session tracking to User to track multiple sessions.
>> 	• Updated Logger to read logging level out of ESAPI.properties.
>> 	• Edited Logger to output to a file specified in the security  
>> configuration.
>> 	• Enhanced log output format.
>> 	• Added methods to FileBasedAccessController to view data as  
>> objects, rather than Strings.
>> Our goal for this release was to enhance functionality and  
>> usability, ie. make it easier for developers to use the API.  We  
>> feel that by clarifying many topics in the Javadocs, it should be  
>> much easier to get started with ESAPI.
>> We've seen a solid response from people starting to use the ESAPI,  
>> and we're getting a lot of questions about how some things work.   
>> I'm going to try to add new content to the Wiki weekly to address  
>> most of the questions, so please check back here regularly.
>> Thanks,
>> Kevin
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi

Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10

More information about the OWASP-ESAPI mailing list