search

batchu / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

RegExp for URL #104

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
On 5 Aug 09 Jim Manico proposed by email to change Validator.URL to
^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-
zA-Z0-9\\(\\)\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$
This is not in ESAPI 2.0 rc4 or 1.4.4. Should it be?

Also, can unit tests be added for (preferably before) any fancy regular 
expressions or changes to them? I'm anxious to avoid false positives, 
meaning rejection of valid URLs or similar expressions in a production 
system.

Original issue reported on code.google.com by mungo_ca...@standardlife.com on 3 Feb 2010 at 11:25

GoogleCodeExporter commented 8 years ago 
We are moving to the URL Java class for this - the regex is vulnerable to regex 
DOS see http://code.google.com/p/owasp-esapi-java/issues/detail?id=158 - this 
will get fixed before the 2.0 GA release.

Original comment by manico.james@gmail.com on 1 Nov 2010 at 1:26