> >1) It protects only against known threats. In order to be excluded we
> have
> >to be a step far enough ahead to make sure the pattern is included.
> >2) It will produce false positives.
> >3) It is not role or user based.
> >4) Tend to give a false sense of security.
>
>
> Just to add to this, in my own testing of the RegEx, I definitely was
> getting false positives, with just normal text strings (no other
> characters needed). So I do have some concerns about any long-term use
> of it, and would caution anyone using it to be aware that it may block
> more than you intend it to. In my own software, I've modified how it
> is called so it's only used on the front-end, open-to-the-world part
> of my software, as if someone gets through the back-end security
> checks, they certainly don't need to bother with a SQL injection to
> mess with the database! ;-) The goal here is just mainly to block the
> request as soon as the invalid strings in any vulnerable scope are
> detected, and that's essentially what it does, scanning the url, form,
> cookie and cgi scopes.
>
> --- Mary Jo
>
I also had a concern about thread safety; it's caching the
java.util.regex.Matcher object in Application scope, and calling
Application.injChecker.reset(testvar) for each url/form/etc variable -- seems
like Matcher.reset() changes state of the cached Matcher object?
It might be safer to cache the Pattern, then get the rePattern.matcher('') on
each request.
Looks cool otherwise, though I might remove some of the keywords from the regex
before using here.
Thanks,
- David
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310901
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
