[OWASP-ESAPI] Two questionable Regex in default ESAPI.propertiesfile

Jim Manico jim.manico at owasp.org
Tue Aug 4 19:25:22 EDT 2009


Let's allow the quality-2.0 branch to stabilize and get integrated into trunk - then I'll mass-mail the other groups as to our changes. :) A little more sane...

Off topic, but I think that serious contributors need to be publicly glorified for their efforts. We should at least get the main contributors on the Wiki. If not more..

Thank you, gentlemen,
Jim

 
  ----- Original Message ----- 
  From: Craig Younkins 
  To: Jim Manico 
  Cc: Kevin W. Wall ; owasp-esapi 
  Sent: Tuesday, August 04, 2009 11:04 AM
  Subject: Re: [OWASP-ESAPI] Two questionable Regex in default ESAPI.propertiesfile


  While on the subject, what about:

  Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$
  Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$
  Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$

  and maybe:
  Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$

  Craig Younkins


  On Mon, Aug 3, 2009 at 7:58 PM, Jim Manico <jim.manico at owasp.org> wrote:

    I passed these along to the other ESAPI teams.

    Thank you, Kevin,

    Jim

    ----- Original Message -----
    From: "Kevin W. Wall" <kevin.w.wall at gmail.com>

    To: "Jim Manico" <jim.manico at owasp.org>; "owasp-esapi"
    <owasp-esapi at lists.owasp.org>

    Sent: Monday, August 03, 2009 9:55 AM
    Subject: Re: [OWASP-ESAPI] Two questionable Regex in default
    ESAPI.propertiesfile



    > Jim Manico wrote:
    >> sounds resonable. Commit this to the "quality" branch and we will bring
    >> this into trunk during the merge. Cool.
    >
    > Already did that as per Jeff Williams reply. It's probably not too far
    > fetched that these same REs are used in the other ESAPI implementations
    > too (.NET, PHP, etc.) so someone familiar with those should check them.
    >
    > Here's what I changed... Validator.FileName and Validator.DirectoryName
    > from '{0,255}' to '{1,255}$'. The context was:
    >
    >>> I noticed these at the end of the ESAPI.properties file:
    >>>
    >>> # Validation of file related input
    >>> Validator.FileName=^[[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
    >>> Validator.DirectoryName=^[a-zA-Z0-9:\\\\[email protected]#$%^&{}\\[\\]()_+\\-=,.~'` ]{0,255}$
    >>>
    >>> I'm thinking that a 0 length (empty) file or directory name should not
    >>> be
    >>> allowed and that both of these regular expressions should end with
    >>>
    >>> {1,255}$
    >>> rather than
    >>> {0,255}$
    >
    > -kevin
    > --
    > Kevin W. Wall
    > "The most likely way for the world to be destroyed, most experts agree,
    > is by accident. That's where we come in; we're computer professionals.
    > We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
    >

    _______________________________________________
    OWASP-ESAPI mailing list
    OWASP-ESAPI at lists.owasp.org
    https://lists.owasp.org/mailman/listinfo/owasp-esapi


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090804/936ab115/attachment.html 


More information about the OWASP-ESAPI mailing list