[OWASP-ESAPI] Two questionable Regex in default ESAPI.propertiesfile

Kevin W. Wall kevin.w.wall at gmail.com
Mon Aug 3 15:55:30 EDT 2009

Jim Manico wrote:
> sounds resonable. Commit this to the "quality" branch and we will bring
> this into trunk during the merge. Cool.

Already did that as per Jeff Williams reply. It's probably not too far
fetched that these same REs are used in the other ESAPI implementations
too (.NET, PHP, etc.) so someone familiar with those should check them.

Here's what I changed... Validator.FileName and Validator.DirectoryName
from '{0,255}' to '{1,255}$'. The context was:

>> I noticed these at the end of the ESAPI.properties file:
>> # Validation of file related input
>> Validator.FileName=^[[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
>> Validator.DirectoryName=^[a-zA-Z0-9:\\\\[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
>> I'm thinking that a 0 length (empty) file or directory name should not be
>> allowed and that both of these regular expressions should end with
>> {1,255}$
>> rather than
>> {0,255}$

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the OWASP-ESAPI mailing list