My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
  Advanced search   Search tips   Subscriptions
Issue 151: HTTPParameterValue regular expression is too restriction
2 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  ----
Closed:  Nov 2010

Sign in to add a comment
Reported by, Sep 28, 2010
What steps will reproduce the problem?
1. we are entering email-id in field but it throws an exception for email id. following is code for the same.

ESAPI.httpUtilities().setCurrentHTTP(request, response);
// log this request, obfuscating any parameter named password
   			ESAPI.httpUtilities().logHTTPRequest(ESAPI.httpUtilities().getCurrentRequest(), logger, Arrays.asList(obfuscate));
if ( !ESAPI.validator().isValidHTTPRequest(request) ) {
                    request.setAttribute("message", "Validation error" );
                    RequestDispatcher dispatcher = request.getRequestDispatcher("/test/common/pagenotfound.jsp");
                    dispatcher.forward(request, response);
                    ESAPI.httpUtilities().setCurrentHTTP(null, null);


What is the expected output? What do you see instead?
email should be allowed and instead of giving exception for valid email id.
i am using ESAPI-2.0.jar 

What version of the product are you using? On what operating system?

Please provide any additional information below.

Exception throws by ESAPI.

WARNING: [Anonymous:696153@unknown ->] Invalid input: context=HTTP request parameter: email, type(HTTPParameterValue)=^[a-zA-Z0-9.\-\/+=_ ]*$,
org.owasp.esapi.errors.ValidationException: HTTP request parameter: email: Invalid input. Please conform to regex ^[a-zA-Z0-9.\-\/+=_ ]*$ with a maximum length of 65535
	at org.owasp.esapi.reference.validation.StringValidationRule.getValid(
	at org.owasp.esapi.reference.DefaultValidator.getValidInput(
	at org.owasp.esapi.reference.DefaultValidator.assertIsValidHTTPRequest(
	at org.owasp.esapi.reference.DefaultValidator.isValidHTTPRequest(
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(
	at org.apache.catalina.core.StandardWrapperValve.invoke(
	at org.apache.catalina.core.StandardContextValve.invoke(
	at org.apache.catalina.core.StandardHostValve.invoke(
	at org.apache.catalina.valves.ErrorReportValve.invoke(
	at org.apache.catalina.core.StandardEngineValve.invoke(
	at org.apache.catalina.connector.CoyoteAdapter.service(
	at org.apache.coyote.http11.Http11Processor.process(
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(
	at org.apache.tomcat.util.threads.ThreadPool$

Sep 28, 2010
Project Member #1
You need to modify the regex for HTTPParameterValue to include the @ symbol. In, change this line: 

Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$


Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$

An even better approach would be to validate the "email" parameter against an email-specific regular expression. 

DEVELOPERS: Should we add the @ symbol to HTTPParameterValue by default? 
Sep 28, 2010
You are refering
Summary: HTTPParameterValue regular expression is too restriction
Sep 29, 2010
thanks a lot :)
Nov 2, 2010
August, lets make this change - it should be in there by default.
Status: Accepted
Labels: Milestone-Release2.0
Nov 2, 2010
Project Member #6
Simple 1 char change (this time in both files) as recommended above - attached patch, but probably easier just to make the change yourselves.
1.3 KB   View   Download
Nov 3, 2010
Project Member #7
Checked in to SVN as revision #1638
Status: Fixed
Nov 3, 2010
Project Member #8
Added a few unit tests to ensure fix functions properly.
Jun 21, 2011
Hi All,
       I require one help regarding the implementation for esapi in java.when i am providing an input as 
instance.isValidInput("test", "", "Email", 100, false)
then it throws the following error on console--->
WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid input: context=test, type=Email( Email),
    ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidInput(null:-1)

On using this as Input to my source code--->getValidInput("test", "", "Email", 100, false)
i get the following error as --->

Jun 22, 2011 11:34:16 AM AppNameNotSpecified IntrusionDetector
WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid input: context=test, type=Email( Email),
    ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidInput(null:-1)
org.owasp.esapi.errors.ValidationException: test: Invalid input. Please conform to: Email with a maximum length of 100
	at org.owasp.esapi.reference.DefaultValidator.getValidInput(Unknown Source)
	at Esapi.testIsValidEmail(
	at Esapi.main(

can anyone please suggest on the above errors
Appreciate your help !!!!

2.9 KB   View   Download
Sign in to add a comment

Powered by Google Project Hosting