[OWASP-ESAPI] Two questionable Regex in default ESAPI.propertiesfile

Craig Younkins craig.younkins at owasp.org
Tue Aug 4 17:04:31 EDT 2009


While on the subject, what about:

Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$
Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$

and maybe:
Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$

Craig Younkins

On Mon, Aug 3, 2009 at 7:58 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I passed these along to the other ESAPI teams.
>
> Thank you, Kevin,
> Jim
>
> ----- Original Message -----
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> To: "Jim Manico" <jim.manico at owasp.org>; "owasp-esapi"
> <owasp-esapi at lists.owasp.org>
> Sent: Monday, August 03, 2009 9:55 AM
> Subject: Re: [OWASP-ESAPI] Two questionable Regex in default
> ESAPI.propertiesfile
>
>
> > Jim Manico wrote:
> >> sounds resonable. Commit this to the "quality" branch and we will bring
> >> this into trunk during the merge. Cool.
> >
> > Already did that as per Jeff Williams reply. It's probably not too far
> > fetched that these same REs are used in the other ESAPI implementations
> > too (.NET, PHP, etc.) so someone familiar with those should check them.
> >
> > Here's what I changed... Validator.FileName and Validator.DirectoryName
> > from '{0,255}' to '{1,255}$'. The context was:
> >
> >>> I noticed these at the end of the ESAPI.properties file:
> >>>
> >>> # Validation of file related input
> >>> Validator.FileName=^[[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
> >>> Validator.DirectoryName=^[a-zA-Z0-9:\\\\[email protected]#$%^&{}\\[\\]()_+\\-=,.~'`
> ]{0,255}$
> >>>
> >>> I'm thinking that a 0 length (empty) file or directory name should not
> >>> be
> >>> allowed and that both of these regular expressions should end with
> >>>
> >>> {1,255}$
> >>> rather than
> >>> {0,255}$
> >
> > -kevin
> > --
> > Kevin W. Wall
> > "The most likely way for the world to be destroyed, most experts agree,
> > is by accident. That's where we come in; we're computer professionals.
> > We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
> >
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090804/482801fa/attachment.html 


More information about the OWASP-ESAPI mailing list