HTTPParameterValue #338
Comments
|
Allowing the characters '\r\n' by themselves introduces the vulnerability of HTTP Header injection. Recommend the implementer URI-encode header values as opposed to opening a security flaw via regex. |
|
@kwwall This issue should be closed. |
|
Allowing this would allow HTTP Response Splitting vulnerabilities as well as violating the HTTP 1.1 spec (RFC 2616). Since ESAPI is supposed to be a security library, we are not going to make changes that intentionally facilitate attacks. The Validator.HTTPParameterValue regular expression in ESAPI.properties file can be altered to accept this if you really want to shoot yourself in the foot. (Just change it to '.*'. That will do it and more!) This "bug" will NOT be fixed (it's really NOT a bug). Closing the issue. |
From parashar...@gmail.com on August 27, 2014 00:30:51
I need to allow alphanumeric, new line, \t\n\r, single space and all special character except (< > double space)
What would be the excepted expression for configure Validator.HTTPParameterValue.
Ex. "02-Aug-2014 at 21:05#%#%";
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=335
The text was updated successfully, but these errors were encountered: