Letractively / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

org.owasp.esapi.reference.DefaultValidator reports ValidationException with IE 9 #262

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Build a simple web application with a simple index.jsp page in a subfolder 
/protected
2. Setup ESAPIfilter filter, url pattern /protected/*
3. Call ESAPI.validator().assertIsValidHTTPRequest();

What is the expected output? What do you see instead?
No validation exception is expected.  However, we instead see below error 
message:

WARNING: SECURITY-FAILURE Anonymous@unknown:511637 -- Input exceeds maximum 
allowed length of 150 by 23 characters: context=HTTP header value (USER-AGENT): 
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/5.0; 
.NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center 
PC 6.0; .NET4.0C), type=HTTPHeaderValue), input=Mozilla/4.0 (compatible; MSIE 
7.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET 
CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
    ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidInput(null:-1)

That is because the header exceeds the 150 length limit, which is hard coded in 
org.owasp.esapi.filters.SafeRequest 

What version of the product are you using? On what operating system?
1.4 , Windows 7 Professional

Does this issue affect only a specified browser or set of browsers?
IE 9

Please provide any additional information below.
Maybe the validation limits in Safe request should be moved to the 
configuration? 

Original issue reported on code.google.com by christof...@gmail.com on 15 Feb 2012 at 2:45