New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
isValidDate fails with patterns ending with "yyyy" #299
Comments
After researching this issue, there is a bug... but it's in Java's SimpleDateFormat class.
|
Ugh... what a bear... https://stackoverflow.com/q/16014488/557153 I'd been using JodaTime for so long that I completely forgot how god-awful SImpleDateFormat is. |
Well, since our goal is to shed dependencies, I can't just fix this with JodaTime. I think the only option is Java 1.8's new Time API. |
@xeno6696 Huh; and all this time I figured it was because the bug creator was using So, you're saying there's nothing wrong with the |
Yeah, but that will have to wait a while. We just made the announcement
that we were giving up the JDK 6 support and only supporting JDK 7. If all
of a sudden we drop JDK 7 and only support JDK 8 we're likely to lose a
large portion of the community who are actually *using* ESAPI and those are
the people who matter.
…On Wed, Jul 26, 2017 at 1:02 AM, Matt Seil ***@***.***> wrote:
Well, since our goal is to shed dependencies, I can't just fix this with
JodaTime.
I think the only option is Java 1.8's new Time API.
<https://dzone.com/articles/datetime-formattingparsing>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#299 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3nm6cq-Lizg1trFyjlHuOhSaN6928gks5sRshugaJpZM4C6zDm>
.
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
|
@kwwall said"
Yep. We ultimately delegate validation to that class. So our method exposes the bad behavior in the original. |
My suggestion would be to rewrite or extract the date validation interface such that we can change the underlying implementation at will. Because of Java's longstanding |
users use a better implementation. Not perfect but... |
That sounds plausible, although we'll have to do so the old fashioned way (unless you can figure out a way to make it work via ObjFactory because ESAPI doesn't support dependency injection. (DI was one think that Chris and I both wanted for ESAPI 3.0. I looked a bit at using Google Guice vs. Spring to do it and Guice is much more lightweight in terms of dependencies, but that's a different topic for a different day.) If you want to spend that much time on it, I'd say go for it, but It's (JodaTime or whatever) has got to be merely a runtime dependency and can't be the default (although I guess it could have scope of 'test'). I don't want people complaining of yet another dependency. |
Looks like a possible fix is to use |
I also discovered that someone created an API to use java 1.8's time API in Java 6 and 7. |
It's a small world: The author of Joda Time is also the author of Java 1.8's java.time API. And is also the author of threeten backport. @kwwall I know that you and others are in an anti-dependency mindset, but this particular date issue could cause SQLi in target applications. I think we should seriously contemplate either JodaTime or this threeten backport to tighten that noose. Writing a custom date parser seems like obvious overkill. Especially with the wide variety of possible date formats that are Implicitly accepted by our decision to delegate to |
Whatever solution will pull in the least # of additional dependencies then. Sure, in theory this could result in SQLi, but chances are better than 50/50 that if they are using this to prevent it, there's probably a half-dozen places in their code where they are not using parametrized queries (e.g., |
I think the problem is a bit more severe: implementers use I know for a fact I made a hack on a previous project mistakenly blaming ESAPI on an issue like this. |
Closing as per merge of PR #468 |
From fagu...@gmail.com on February 14, 2013 05:48:25
What steps will reproduce the problem? 1.Instantiate a DateFormat with "dd/MM/yyyy" pattern
2.Call isValidDate method with "01/01/2AAA" as date What is the expected output? What do you see instead? I expected to get a false as result, but i got a true What version of the product are you using? On what operating system? Version 2.0.1 tested on Windows XP and Solaris both of them with java 1.6.0_33 Does this issue affect only a specified browser or set of browsers? No Please provide any additional information below. If I change the pattern to any other that don´t have "yyyy" at the end of the pattern i get a false as it´s expected.
Some examples:
Result:true
Result:false
Result:false
Result:true
Result:false
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=293
The text was updated successfully, but these errors were encountered: