Closed GoogleCodeExporter closed 9 years ago
Original comment by jonathan...@gmail.com
on 11 May 2010 at 10:38
Congratulations, it appears that you're the first person to use this method
because
it has more issues than just handling of null.
It also doesn't accept the simplest query of "a=b" with the default
configuration as
the default regex is using (1,50) instead of {1,50}. The code is specifying
2000 as
that max length instead of 50. Even with the length fixed in the regex it
doesn't
contain a %.
Happily it does reject a NUL but, when % is added to the regex, it happily
accepts %00.
Original comment by schal...@darkmist.net
on 16 May 2010 at 12:21
This issue was closed by revision r1416.
Original comment by schal...@darkmist.net
on 16 May 2010 at 1:50
Reopening as this still needs checked/fixed in the 1.4 & 2.1 branches. It has
been
fixed in the 2.0 branch.
Original comment by schal...@darkmist.net
on 16 May 2010 at 1:55
we blew away 2.1 and refresh with 2.0 - so this only needs fixing in 1.4
Original comment by manico.james@gmail.com
on 2 Nov 2010 at 7:47
Original comment by manico.james@gmail.com
on 2 Nov 2010 at 7:47
This issue is not relevant in ESAPI 2.x and ESAPI 1.4.x is no longer supported.
Even if this issue were to be fixed in ESAPI 1.4.x, it would still leave many
other bugs--some of which are security issues--as unfixed. Therefore, this bug
nor any others that are specific to ESAPI 1.4.x, will be fixed.
Original comment by kevin.w.wall@gmail.com
on 23 Sep 2014 at 1:49
Original issue reported on code.google.com by
jonathan...@gmail.com
on 10 May 2010 at 2:40Attachments: