[OWASP-ESAPI] Two questionable Regex in default ESAPI.propertiesfile

Jim Manico jim.manico at owasp.org
Tue Aug 4 19:25:22 EDT 2009

Let's allow the quality-2.0 branch to stabilize and get integrated into trunk - then I'll mass-mail the other groups as to our changes. :) A little more sane...

Off topic, but I think that serious contributors need to be publicly glorified for their efforts. We should at least get the main contributors on the Wiki. If not more..

Thank you, gentlemen,

  ----- Original Message ----- 
  From: Craig Younkins 
  To: Jim Manico 
  Cc: Kevin W. Wall ; owasp-esapi 
  Sent: Tuesday, August 04, 2009 11:04 AM
  Subject: Re: [OWASP-ESAPI] Two questionable Regex in default ESAPI.propertiesfile

  While on the subject, what about:


  and maybe:

  Craig Younkins

  On Mon, Aug 3, 2009 at 7:58 PM, Jim Manico <jim.manico at owasp.org> wrote:

    I passed these along to the other ESAPI teams.

    Thank you, Kevin,


    ----- Original Message -----
    From: "Kevin W. Wall" <kevin.w.wall at gmail.com>

    To: "Jim Manico" <jim.manico at owasp.org>; "owasp-esapi"
    <owasp-esapi at lists.owasp.org>

    Sent: Monday, August 03, 2009 9:55 AM
    Subject: Re: [OWASP-ESAPI] Two questionable Regex in default

    > Jim Manico wrote:
    >> sounds resonable. Commit this to the "quality" branch and we will bring
    >> this into trunk during the merge. Cool.
    > Already did that as per Jeff Williams reply. It's probably not too far
    > fetched that these same REs are used in the other ESAPI implementations
    > too (.NET, PHP, etc.) so someone familiar with those should check them.
    > Here's what I changed... Validator.FileName and Validator.DirectoryName
    > from '{0,255}' to '{1,255}$'. The context was:
    >>> I noticed these at the end of the ESAPI.properties file:
    >>> # Validation of file related input
    >>> Validator.FileName=^[[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
    >>> Validator.DirectoryName=^[a-zA-Z0-9:\\\\[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
    >>> I'm thinking that a 0 length (empty) file or directory name should not
    >>> be
    >>> allowed and that both of these regular expressions should end with
    >>> {1,255}$
    >>> rather than
    >>> {0,255}$
    > -kevin
    > --
    > Kevin W. Wall
    > "The most likely way for the world to be destroyed, most experts agree,
    > is by accident. That's where we come in; we're computer professionals.
    > We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

    OWASP-ESAPI mailing list
    OWASP-ESAPI at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090804/936ab115/attachment.html 

More information about the OWASP-ESAPI mailing list