My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 151: HTTPParameterValue regular expression is too restriction
2 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  ----
Closed:  Nov 2010


Sign in to add a comment
 
Reported by tejas.ma...@gmail.com, Sep 28, 2010
What steps will reproduce the problem?
1. we are entering email-id in field but it throws an exception for email id. following is code for the same.

ESAPI.httpUtilities().setCurrentHTTP(request, response);
    			
// log this request, obfuscating any parameter named password
   			ESAPI.httpUtilities().logHTTPRequest(ESAPI.httpUtilities().getCurrentRequest(), logger, Arrays.asList(obfuscate));
    			
if ( !ESAPI.validator().isValidHTTPRequest(request) ) {
                    request.setAttribute("message", "Validation error" );
                    RequestDispatcher dispatcher = request.getRequestDispatcher("/test/common/pagenotfound.jsp");
                    dispatcher.forward(request, response);
                    ESAPI.authenticator().clearCurrent();
                    ESAPI.httpUtilities().setCurrentHTTP(null, null);
                    return;
    			}

2.
3.

What is the expected output? What do you see instead?
email should be allowed and instead of giving exception for valid email id.
i am using ESAPI-2.0.jar 

What version of the product are you using? On what operating system?
ESAPI-2.0.jar 
XP

Please provide any additional information below.

Exception throws by ESAPI.


WARNING: [Anonymous:696153@unknown -> 127.0.0.1:8080/DefaultName/IntrusionDetector] Invalid input: context=HTTP request parameter: email, type(HTTPParameterValue)=^[a-zA-Z0-9.\-\/+=_ ]*$, input=tejas.makwana@gmail.com
org.owasp.esapi.errors.ValidationException: HTTP request parameter: email: Invalid input. Please conform to regex ^[a-zA-Z0-9.\-\/+=_ ]*$ with a maximum length of 65535
	at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:121)
	at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:172)
	at org.owasp.esapi.reference.DefaultValidator.assertIsValidHTTPRequest(DefaultValidator.java:692)
	at org.owasp.esapi.reference.DefaultValidator.isValidHTTPRequest(DefaultValidator.java:662)
	at com.org.esapi.ESAPIFilterJava.doFilter(ESAPIFilterJava.java:84)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Thread.java:595)

Sep 28, 2010
Project Member #1 augu...@gmail.com
You need to modify the regex for HTTPParameterValue to include the @ symbol. In ESAPI.properties, change this line: 

Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$

To: 

Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$

An even better approach would be to validate the "email" parameter against an email-specific regular expression. 

DEVELOPERS: Should we add the @ symbol to HTTPParameterValue by default? 
Sep 28, 2010
#2 manico.james@gmail.com
You are refering
Summary: HTTPParameterValue regular expression is too restriction
Sep 29, 2010
#3 tejas.ma...@gmail.com
thanks a lot :)
Nov 2, 2010
#4 manico.james@gmail.com
August, lets make this change - it should be in there by default.
Status: Accepted
Labels: Milestone-Release2.0
Nov 2, 2010
Project Member #6 jtmel...@gmail.com
Simple 1 char change (this time in both esapi.properties files) as recommended above - attached patch, but probably easier just to make the change yourselves.
email_in_http_params.patch
1.3 KB   View   Download
Nov 3, 2010
Project Member #7 augu...@gmail.com
Checked in to SVN as revision #1638
Status: Fixed
Nov 3, 2010
Project Member #8 jtmel...@gmail.com
Added a few unit tests to ensure fix functions properly.
Jun 21, 2011
#9 arjunpro...@gmail.com
Hi All,
       I require one help regarding the implementation for esapi in java.when i am providing an input as 
instance.isValidInput("test", "hello@world.com", "Email", 100, false)
then it throws the following error on console--->
WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid input: context=test, type=Email( Email), input=hello@world.com
    ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidInput(null:-1)
false


On using this as Input to my source code--->getValidInput("test", "hello12@world.com", "Email", 100, false)
i get the following error as --->

Jun 22, 2011 11:34:16 AM AppNameNotSpecified IntrusionDetector
WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid input: context=test, type=Email( Email), input=hello12@world.com
    ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidInput(null:-1)
org.owasp.esapi.errors.ValidationException: test: Invalid input. Please conform to: Email with a maximum length of 100
	at org.owasp.esapi.reference.DefaultValidator.getValidInput(Unknown Source)
	at Esapi.testIsValidEmail(Esapi.java:38)
	at Esapi.main(Esapi.java:49)

can anyone please suggest on the above errors
Appreciate your help !!!!

esapi.rtf
2.9 KB   View   Download
Sign in to add a comment

Powered by Google Project Hosting