[OWASP-ESAPI] Two questionable Regex in default ESAPI.propertiesfile

Chris Schmidt chrisisbeef at gmail.com
Tue Aug 4 19:56:08 EDT 2009


I accept checks or cash, or airline miles redeemable for trips to New
Zealand.. :D

In all seriousness, I think it would be awesome to be listed on the wiki
and associated publicly with the ESAPI Project. 

Thanks!


On Tue, 2009-08-04 at 13:25 -1000, Jim Manico wrote:
> Let's allow the quality-2.0 branch to stabilize and get integrated
> into trunk - then I'll mass-mail the other groups as to our
> changes. :) A little more sane...
>  
> Off topic, but I think that serious contributors need to be publicly
> glorified for their efforts. We should at least get the main
> contributors on the Wiki. If not more..
>  
> Thank you, gentlemen,
> Jim
>  
>  
>         ----- Original Message ----- 
>         From: Craig Younkins 
>         To: Jim Manico 
>         Cc: Kevin W. Wall ; owasp-esapi 
>         Sent: Tuesday, August 04, 2009 11:04 AM
>         Subject: Re: [OWASP-ESAPI] Two questionable Regex in default
>         ESAPI.propertiesfile
>         
>         
>         While on the subject, what about:
>         
>         Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$
>         Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$
>         Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$
>         
>         and maybe:
>         Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$
>         
>         Craig Younkins
>         
>         On Mon, Aug 3, 2009 at 7:58 PM, Jim Manico
>         <jim.manico at owasp.org> wrote:
>                 I passed these along to the other ESAPI teams.
>                 
>                 Thank you, Kevin,
>                 Jim
>                 
>                 ----- Original Message -----
>                 From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
>                 
>                 To: "Jim Manico" <jim.manico at owasp.org>; "owasp-esapi"
>                 <owasp-esapi at lists.owasp.org>
>                 
>                 Sent: Monday, August 03, 2009 9:55 AM
>                 Subject: Re: [OWASP-ESAPI] Two questionable Regex in
>                 default
>                 ESAPI.propertiesfile
>                 
>                 
>                 
>                 
>                 > Jim Manico wrote:
>                 >> sounds resonable. Commit this to the "quality"
>                 branch and we will bring
>                 >> this into trunk during the merge. Cool.
>                 >
>                 > Already did that as per Jeff Williams reply. It's
>                 probably not too far
>                 > fetched that these same REs are used in the other
>                 ESAPI implementations
>                 > too (.NET, PHP, etc.) so someone familiar with those
>                 should check them.
>                 >
>                 > Here's what I changed... Validator.FileName and
>                 Validator.DirectoryName
>                 > from '{0,255}' to '{1,255}$'. The context was:
>                 >
>                 >>> I noticed these at the end of the ESAPI.properties
>                 file:
>                 >>>
>                 >>> # Validation of file related input
>                 >>> Validator.FileName=^[[email protected]#$%^&{}\\[\\]()_+\
>                 \-=,.~'` ]{0,255}$
>                 >>> Validator.DirectoryName=^[a-zA-Z0-9:\\\\[email protected]#$%^&{}\
>                 \[\\]()_+\\-=,.~'` ]{0,255}$
>                 >>>
>                 >>> I'm thinking that a 0 length (empty) file or
>                 directory name should not
>                 >>> be
>                 >>> allowed and that both of these regular expressions
>                 should end with
>                 >>>
>                 >>> {1,255}$
>                 >>> rather than
>                 >>> {0,255}$
>                 >
>                 > -kevin
>                 > --
>                 > Kevin W. Wall
>                 > "The most likely way for the world to be destroyed,
>                 most experts agree,
>                 > is by accident. That's where we come in; we're
>                 computer professionals.
>                 > We cause accidents."        -- Nathaniel Borenstein,
>                 co-creator of MIME
>                 >
>                 
>                 _______________________________________________
>                 OWASP-ESAPI mailing list
>                 OWASP-ESAPI at lists.owasp.org
>                 https://lists.owasp.org/mailman/listinfo/owasp-esapi
>                 
>         
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi



More information about the OWASP-ESAPI mailing list