[Owasp-leaders] Question on Regex
Jim Manico
jim.manico at owasp.org
Wed Oct 14 12:17:31 EDT 2009
James,
Please move this conversation to the ESAPI list.
But since I've already sent you all an email, let me answer.
1) We load those RegEx's and cache them at config load time (and do
not hit disc each time we validate).
2) I prefer to map each parameter to a unique RegEx for maximum
flexibilty.
3) The goal is to allow a secuity pro to modify your RegExs without
having to modify actual code.
4) Hard-coding RegEx's in your code is a significant design anti-
pattern, IMO.
I ask you to please rip the leaders list out of this conversation and
take it to the ESAPI list.
Jim Manico
On Oct 14, 2009, at 11:45 AM, "McGovern, James F. (eBusiness)" <James.McGovern at thehartford.com
> wrote:
> Having a debate with some developers and I wanted to understand if
> there was any security perspectives that have merit when it comes to
> using Regex. So, I noted that ESAPI for example, has a single
> properties file where regex compilation happens in each validation
> action and not via uber-singleton upfront compilation. Is this
> developer religion?
>
> ************************************************************
> This communication, including attachments, is for the exclusive use
> of addressee and may contain proprietary, confidential and/or
> privileged information. If you are not the intended recipient, any
> use, copying, disclosure, dissemination or distribution is strictly
> prohibited. If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication
> and destroy all copies.
> ************************************************************
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091014/8f8443a5/attachment.html
More information about the OWASP-Leaders
mailing list