What steps will reproduce the problem?
1. Build a simple web application with a simple index.jsp page in a subfolder
/protected
2. Setup ESAPIfilter filter, url pattern /protected/*
3. Call ESAPI.validator().assertIsValidHTTPRequest();
What is the expected output? What do you see instead?
No validation exception is expected. However, we instead see below error
message:
WARNING: SECURITY-FAILURE Anonymous@unknown:511637 -- Input exceeds maximum
allowed length of 150 by 23 characters: context=HTTP header value (USER-AGENT):
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/5.0;
.NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center
PC 6.0; .NET4.0C), type=HTTPHeaderValue), input=Mozilla/4.0 (compatible; MSIE
7.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET
CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidInput(null:-1)
That is because the header exceeds the 150 length limit, which is hard coded in
org.owasp.esapi.filters.SafeRequest
What version of the product are you using? On what operating system?
1.4 , Windows 7 Professional
Does this issue affect only a specified browser or set of browsers?
IE 9
Please provide any additional information below.
Maybe the validation limits in Safe request should be moved to the
configuration?
Original issue reported on code.google.com by christof...@gmail.com on 15 Feb 2012 at 2:45
Original issue reported on code.google.com by
christof...@gmail.comon 15 Feb 2012 at 2:45