[OWASP-ESAPI] Two questionable Regex in default ESAPI.propertiesfile

Jim Manico jim.manico at owasp.org
Mon Aug 3 01:31:31 EDT 2009

sounds resonable. Commit this to the "quality" branch and we will bring this 
into trunk during the merge. Cool.

- Jim

----- Original Message ----- 
From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
To: "owasp-esapi" <owasp-esapi at lists.owasp.org>
Sent: Sunday, July 26, 2009 2:24 PM
Subject: [OWASP-ESAPI] Two questionable Regex in default 

>I noticed these at the end of the ESAPI.properties file:
> # Validation of file related input
> Validator.FileName=^[[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
> Validator.DirectoryName=^[a-zA-Z0-9:\\\\[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
> I'm thinking that a 0 length (empty) file or directory name should not be
> allowed and that both of these regular expressions should end with
> {1,255}$
> rather than
> {0,255}$
> Or am I missing something. I didn't check how these were being used
> or checked. For instance, it may be caught anyhow because there are
> explicit checks in place for empty strings that you are trying to match
> against. (But still, I would argue in favor of making the REs to do
> what they ought to do in case such a check--if indeed there is one--
> were to ever be removed.)
> Thoughts?
> -kevin
> -- 
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi

More information about the OWASP-ESAPI mailing list