search

batchu / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

SafeString validation.properties error on parsing \. #82

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 

GetInputValidation takes regular expression called SafeString.
Throws exception in parsing a simple regex.
Regular expression in the .properties file (validation.properties) contains
"\."

What steps will reproduce the problem?

1. create a new dynamic web project in eclipse, create new java file with
main(..) method

2. importcommons-fileupload-1.2.jar, commons-logging.jar,
ESAPI-2.0-rc2.jar, log4j-1.2.15.jar in WEB-INF/lib

3. Add following code in main method
        try {
            Validator instESAPI = ESAPI.validator();
            instESAPI.getValidInput("address","55 main st. pasadena ak",
"SafeString", 512, false);
        } catch (ValidationException ve) {
            ve.printStackTrace();
        } catch (IntrusionException ie) {
            ie.printStackTrace();
        } catch (Exception e) {
            e.printStackTrace();
        }

4. run as Java application

What is the expected output? What do you see instead?

Expected out: no error is expected
What do I see instead: Following error
    org.owasp.esapi.errors.ValidationException: address: Invalid input. Please
conform to regex ^[p{L}p{N}.]{0,1024}$ with a maximum length of 512

What version of the product are you using? On what operating system?
Windows XP SP3 operating system, JDK 1.5, I tried both ESAPI-2.0-rc2.jar
and ESAPI-2.0-rc4.jar, same error.

Original issue reported on code.google.com by caugh...@gmail.com on 17 Dec 2009 at 6:21

GoogleCodeExporter commented 8 years ago 
This is due to not accounting for spaces in the SafeString regex.

Using the regex ^[.\\p{Alnum}\\p{Space}]{0,1024}$ resolves the issue. Also 
condensing
into \p{Alnum} requires a single CharClass lookup where \p{L}\p{N} requires 2.

Committing the fix to trunk for ESAPI4J 2.0

Original comment by chrisisbeef on 17 Dec 2009 at 10:52

GoogleCodeExporter commented 8 years ago

Original comment by chrisisbeef on 17 Dec 2009 at 11:28

GoogleCodeExporter commented 8 years ago 
This issue was closed by revision r914.

Original comment by chrisisbeef on 17 Dec 2009 at 11:30

GoogleCodeExporter commented 8 years ago

Original comment by chrisisbeef on 17 Dec 2009 at 11:30

GoogleCodeExporter commented 8 years ago 
Wow.  Thanks for such a rapid response!

Would like to re-test to confirm this fix works in local environment.

Is there a jar with this change in it or what is the next planned jar release?

Original comment by caugh...@gmail.com on 18 Dec 2009 at 7:26