Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Construct "&" in Validator.URL is simple character class, not reference to ampersand #327

Closed
meg23 opened this issue Nov 13, 2014 · 5 comments
Closed

Construct "&" in Validator.URL is simple character class, not reference to ampersand #327

meg23 opened this issue Nov 13, 2014 · 5 comments
Labels
bug imported Priority-Medium

Comments

@meg23
Copy link

meg23 commented Nov 13, 2014

From anton.sh...@gmail.com on March 17, 2014 16:17:40

What steps will reproduce the problem? 1. Match a string "a" to a subset of the regex: "^(/?)([a-zA-Z0-9-.?,:'/\+=&%$#]*)?$"
2. Match a string "a" to a subset of the regex without a-z range: "^(/?)([A-Z0-9-.?,:'/\+=&%$#])?$"
3. Match a string "a" to a subset of the regex without "amp;" substring: "^(/?)([A-Z0-9-.?,:'/\+=&%$#]_)?$" What is the expected output? What do you see instead? 1. "a" matches
2. "a" matches, but expected not to match, if & is a reference to ampersand
3. "a" does not match

Conclusion: & is a simple character class, not a reference to ampersand. What version of the product are you using? On what operating system? 2.1.0 Win7 Does this issue affect only a specified browser or set of browsers? - Please provide any additional information below. Java 1.6

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=322
@xeno6696
Copy link
Collaborator

It's unclear here what the exact problem is. What method are you using? Validation?

The likely culprit here is canonicalization, and in 99% of cases where I've seen this problem come up, it's a legitmate problem. Meaning, ESAPI is doing the right thing.

There's plenty of other missing context on this problem, is the input a URL? An email address?

Recommend writing a small web app demonstrating the exact problem with the exact input, with the exact method call. Otherwise, @kwwall , I recommend closing this issue.

@kwwall
Copy link
Contributor

kwwall commented Jan 17, 2016

Is what the creator of this issue saying is that the regex for Validator.URL in validation.properties contains '&' rather than '&'? Note that it is within [] and thus a character class. Here's what we have for it:

Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$

Is Anton simply stating that instead, it should be:

Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$

(or maybe '&', but I don't think '&' is special within [...]? If so, it would be an easy fix, but note that changing '&' to just '&' would remove ';' so that could be an unintended side-effect so we may need to re-add ';' separately.

Thoughts?

@xeno6696
Copy link
Collaborator

I'll throw this in unit-test later today. Your interpretation makes sense, but does ESAPI assume that these regexes are HTML-entity encoded? (I don't think so, but I'm suspicious now)

@kwwall
Copy link
Contributor

kwwall commented Jan 17, 2016

I don't believe so either. I think the regex is likely wrong and should
just be '&'. But not sure off top of my head whether ; will need to be
included. As you say, it needs to start with better unit tests.

-kevin
Sent from my Droid; please excuse typos.
On Jan 17, 2016 10:52 AM, "Matt Seil" notifications@github.com wrote:

I'll throw this in unit-test later today. Your interpretation makes sense,
but does ESAPI assume that these regexes are HTML-entity encoded? (I don't
think so, but I'm suspicious now)


Reply to this email directly or view it on GitHub
#327 (comment)
.

@xeno6696
Copy link
Collaborator

Well... I changed &amp to & and it works fine... of course, the reason it works is because &amp already contains the ampersand as well as superfluous amp chars already covered.

xeno6696 added a commit that referenced this issue Jul 28, 2017
@xeno6696
Merge pull request #409 from xeno6696/develop
3acce7e 
Issue #327 got rid of misleading HTML entity in URL regex.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug imported Priority-Medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@meg23 @kwwall @xeno6696