[OWASP-ESAPI] Two questionable Regex in default ESAPI.propertiesfile

Jim Manico jim.manico at owasp.org
Mon Aug 3 19:58:02 EDT 2009


I passed these along to the other ESAPI teams.

Thank you, Kevin,
Jim

----- Original Message ----- 
From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
To: "Jim Manico" <jim.manico at owasp.org>; "owasp-esapi" 
<owasp-esapi at lists.owasp.org>
Sent: Monday, August 03, 2009 9:55 AM
Subject: Re: [OWASP-ESAPI] Two questionable Regex in default 
ESAPI.propertiesfile


> Jim Manico wrote:
>> sounds resonable. Commit this to the "quality" branch and we will bring
>> this into trunk during the merge. Cool.
>
> Already did that as per Jeff Williams reply. It's probably not too far
> fetched that these same REs are used in the other ESAPI implementations
> too (.NET, PHP, etc.) so someone familiar with those should check them.
>
> Here's what I changed... Validator.FileName and Validator.DirectoryName
> from '{0,255}' to '{1,255}$'. The context was:
>
>>> I noticed these at the end of the ESAPI.properties file:
>>>
>>> # Validation of file related input
>>> Validator.FileName=^[[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
>>> Validator.DirectoryName=^[a-zA-Z0-9:\\\\[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
>>>
>>> I'm thinking that a 0 length (empty) file or directory name should not 
>>> be
>>> allowed and that both of these regular expressions should end with
>>>
>>> {1,255}$
>>> rather than
>>> {0,255}$
>
> -kevin
> -- 
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
> 



More information about the OWASP-ESAPI mailing list