使用Esapi验证时出错 [英] Error when using Esapi validation
问题描述
我希望有人可以帮助我解决一些问题.
I hope someone could help me with some issue.
我正在将OWASP ESAPI 2.1.0与JavaEE结合使用,以帮助我验证Web应用程序中的某些条目.在某些时候,我需要验证Windows文件路径,因此我在"validation.properties"中添加了一个新的属性条目,如下所示:
I'm using OWASP ESAPI 2.1.0 with JavaEE, to help me to validate some entries in a web application. At some point I needed to validate a Windows file path, so I added a new property entry in the 'validation.properties' like this one:
Validator.PathFile=^([a-zA-Z]:)?(\\\\[\\w. -]+)+$
例如,当我尝试通过ESAPI验证诸如"C:\ TEMP \ file.txt"之类的字符串时,会收到ValidationException:
When I try to validate, for example, a string like "C:\TEMP\file.txt" via ESAPI, I get a ValidationException:
ESAPI.validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false);
或者,我还尝试了 java.util.regex.Pattern 类,以相同的字符串示例测试相同的正则表达式,并且可以正常工作:
Alternatively, I also tried the java.util.regex.Pattern class to test the same regular expression with the same string example and it works OK:
Pattern.matches("^([a-zA-Z]:)?(\\\\[\\w. -]+)+$", "C:\\TEMP\\file.txt")
我必须说我在'validation.properties'中添加了其他正则表达式,并且工作正常.为什么这个这么难?有人可以帮我解决这个问题吗?
I must say that I added other regex in 'validation.properties' and worked OK. Why this one is so hard? Could anyone help me out with this one?
推荐答案
之所以会这样,是因为对validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false);
的调用包装了对ESAPI.encoder().canonicalize()
的调用,该调用将输入转换为char序列(不是文字String
! )C:TEMP'0x0C'ile.txt
传递给正则表达式引擎之前.
This is happening because the call to validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false);
wraps a call to ESAPI.encoder().canonicalize()
that is transforming the input to the char sequence (Not literal String
!) C:TEMP'0x0C'ile.txt
before it passes to the regex engine.
除了将第二个"\"转换为char 0x0c
之外,这通常是期望的行为.这可能是ESAPI中的错误.
Except for the second "\" getting converted to the char 0x0c
this is normally desired behavior. That could be a bug in ESAPI.
您想要的是拨打 查看全文