问题
I hope someone could help me with some issue.
I'm using OWASP ESAPI 2.1.0 with JavaEE, to help me to validate some entries in a web application. At some point I needed to validate a Windows file path, so I added a new property entry in the 'validation.properties' like this one:
Validator.PathFile=^([a-zA-Z]:)?(\\\\[\\w. -]+)+$
When I try to validate, for example, a string like "C:\TEMP\file.txt" via ESAPI, I get a ValidationException:
ESAPI.validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false);
Alternatively, I also tried the java.util.regex.Pattern class to test the same regular expression with the same string example and it works OK:
Pattern.matches("^([a-zA-Z]:)?(\\\\[\\w. -]+)+$", "C:\\TEMP\\file.txt")
I must say that I added other regex in 'validation.properties' and worked OK. Why this one is so hard? Could anyone help me out with this one?
回答1:
This is happening because the call to validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false); wraps a call to ESAPI.encoder().canonicalize() that is transforming the input to the char sequence (Not literal String!) C:TEMP'0x0C'ile.txt before it passes to the regex engine.
Except for the second "\" getting converted to the char 0x0c this is normally desired behavior. That could be a bug in ESAPI.
What you want, is to make a call to ESAPI.validator().getValidDirectoryPath()
来源:https://stackoverflow.com/questions/24499820/error-when-using-esapi-validation