Menu
▾
▴
owasp-input-api-developers — Developers for OWASP Input API's
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
(1) |
Apr
(26) |
May
|
Jun
(57) |
Jul
(22) |
Aug
(50) |
Sep
(14) |
Oct
(9) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Steven J. S. <sj...@Ju...> - 2003-01-15 17:45:04
|
On 15 Jan 2003, Mark Curphey wrote: > www.sourcforge.net/projects/owasp and look for lists. I that doesn't > work, do let me know. found it this time; was kinda buried at bottom of page > On Wed, 2003-01-15 at 05:22, Steven J. Sobol wrote: > > On 29 Nov 2002, Mark Curphey wrote: > > > > > Guys > > > > > > I think the new list is owa...@li... ;-) > > > > I went to the SF site and couldn't find where to subscribe. It's early and > > I'm probably missing something... > > > > > > > > > > > > > > On Thu, 2002-11-28 at 14:08, Nik Cubrilovic wrote: > > > > Request timed out. > > > > > > > > > > > > On Wed, 27 Nov 2002, Steven J. Sobol wrote: > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH > > > > > http://JustTheNetLLC.com/ 888.480.4NET (4638) > > > > > > > > > > A practicing member of the Geek Orthodox religion! > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > > This SF.net email is sponsored by: Get the new Palm Tungsten T > > > > > handheld. Power & Color in a compact size! > > > > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > > > > > _______________________________________________ > > > > > Owasp-input-api-developers mailing list > > > > > Owa...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > This SF.net email is sponsored by: Get the new Palm Tungsten T > > > > handheld. Power & Color in a compact size! > > > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > > > > _______________________________________________ > > > > Owasp-input-api-developers mailing list > > > > Owa...@li... > > > > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > > > > > > > -- > > Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH > > http://JustTheNetLLC.com/ 888.480.4NET (4638) > > > > A practicing member of the Geek Orthodox religion! > > > > > > > -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH http://JustTheNetLLC.com/ 888.480.4NET (4638) A practicing member of the Geek Orthodox religion! |
|
From: Mark C. <ma...@cu...> - 2003-01-15 15:19:39
|
www.sourcforge.net/projects/owasp and look for lists. I that doesn't work, do let me know. On Wed, 2003-01-15 at 05:22, Steven J. Sobol wrote: > On 29 Nov 2002, Mark Curphey wrote: > > > Guys > > > > I think the new list is owa...@li... ;-) > > I went to the SF site and couldn't find where to subscribe. It's early and > I'm probably missing something... > > > > > > > > > On Thu, 2002-11-28 at 14:08, Nik Cubrilovic wrote: > > > Request timed out. > > > > > > > > > On Wed, 27 Nov 2002, Steven J. Sobol wrote: > > > > > > > > > > > > > > > > > > > -- > > > > Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH > > > > http://JustTheNetLLC.com/ 888.480.4NET (4638) > > > > > > > > A practicing member of the Geek Orthodox religion! > > > > > > > > > > > > > > > > ------------------------------------------------------- > > > > This SF.net email is sponsored by: Get the new Palm Tungsten T > > > > handheld. Power & Color in a compact size! > > > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > > > > _______________________________________________ > > > > Owasp-input-api-developers mailing list > > > > Owa...@li... > > > > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.net email is sponsored by: Get the new Palm Tungsten T > > > handheld. Power & Color in a compact size! > > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > > > _______________________________________________ > > > Owasp-input-api-developers mailing list > > > Owa...@li... > > > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > > > > -- > Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH > http://JustTheNetLLC.com/ 888.480.4NET (4638) > > A practicing member of the Geek Orthodox religion! > > |
|
From: Steven J. S. <sj...@Ju...> - 2003-01-15 12:24:05
|
On 29 Nov 2002, Mark Curphey wrote: > Guys > > I think the new list is owa...@li... ;-) I went to the SF site and couldn't find where to subscribe. It's early and I'm probably missing something... > > > > On Thu, 2002-11-28 at 14:08, Nik Cubrilovic wrote: > > Request timed out. > > > > > > On Wed, 27 Nov 2002, Steven J. Sobol wrote: > > > > > > > > > > > > > > -- > > > Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH > > > http://JustTheNetLLC.com/ 888.480.4NET (4638) > > > > > > A practicing member of the Geek Orthodox religion! > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.net email is sponsored by: Get the new Palm Tungsten T > > > handheld. Power & Color in a compact size! > > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > > > _______________________________________________ > > > Owasp-input-api-developers mailing list > > > Owa...@li... > > > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: Get the new Palm Tungsten T > > handheld. Power & Color in a compact size! > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > > _______________________________________________ > > Owasp-input-api-developers mailing list > > Owa...@li... > > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH http://JustTheNetLLC.com/ 888.480.4NET (4638) A practicing member of the Geek Orthodox religion! |
|
From: Alex R. <net...@ni...> - 2002-11-29 20:04:18
|
Sorry, I'm not in town so I haven't had a chance to reply. Things are moving (albiet slowly). Also, the list this was posted to is not the current discussion list for the project. Please subscribe (and post to) https://sourceforge.net/mailarchive/forum.php?forum_id=12809 Thanks. On Fri, 29 Nov 2002, Nik Cubrilovic wrote: > > Request timed out. |
|
From: Mark C. <ma...@cu...> - 2002-11-29 16:59:04
|
Guys I think the new list is owa...@li... ;-) On Thu, 2002-11-28 at 14:08, Nik Cubrilovic wrote: > Request timed out. > > > On Wed, 27 Nov 2002, Steven J. Sobol wrote: > > > > > > > > > -- > > Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH > > http://JustTheNetLLC.com/ 888.480.4NET (4638) > > > > A practicing member of the Geek Orthodox religion! > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: Get the new Palm Tungsten T > > handheld. Power & Color in a compact size! > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > > _______________________________________________ > > Owasp-input-api-developers mailing list > > Owa...@li... > > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Get the new Palm Tungsten T > handheld. Power & Color in a compact size! > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers -- Mark Curphey <ma...@cu...> |
|
From: Nik C. <ni...@ni...> - 2002-11-28 11:09:04
|
Request timed out. On Wed, 27 Nov 2002, Steven J. Sobol wrote: > > > > -- > Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH > http://JustTheNetLLC.com/ 888.480.4NET (4638) > > A practicing member of the Geek Orthodox religion! > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Get the new Palm Tungsten T > handheld. Power & Color in a compact size! > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > |
|
From: Steven J. S. <sj...@Ju...> - 2002-11-27 13:45:37
|
-- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH http://JustTheNetLLC.com/ 888.480.4NET (4638) A practicing member of the Geek Orthodox religion! |
|
From: Alex R. <al...@ne...> - 2002-10-30 19:58:23
|
On Wednesday 30 October 2002 03:28, Ingo Struck wrote: > Hi... > > > have a look through the archives and try to find the "vision document= ". > > Hm... I couldnt locate it. :o( see attached DocBook document. > But I saw the idmef thing together with some other code... > What`s that? For me it seems to be a different way to describe > vulnerabilities, so is it a second VulnXML draft? > Please tell me some words about status/purpose. this is water under the bridge. Please read the archives for details. > > canonicalization.=20 > > Wew, I think this is really a tricky / huge problem. > As you surely know, nearly all charset de/encoding mechanisms are not > trivial. If you really try to canonicalize everything before filtering,= I > bet that the only attack an attacker has to try out is a simple > overloading. that's why we force a charset. All Unicode compliant converters will use=20 "shortest encoding" semantics, and so we shouldn't have to worry about=20 this. > As I already stated, on the protocol / db layer (which should considere= d > to be the most sensitive one) you can assume at least everything to be > eight-bit, if not seven (ascii) or even six bit (base64). > Thus, the simple canonicalization on that layer would consist of bit > masking. > > The filters on other stages may well need a full-fledged charset > canonicalization, but it should only happen comparitively seldom that a > user has to provide charset-dependent input (e.g. i18n names / search > patterns or the like). we'll worry about efficiency once we have correctness. Premature=20 optimization is the root of all evil. --=20 Alex Russell al...@Se... al...@ne... |
|
From: Ingo S. <in...@in...> - 2002-10-30 10:27:33
|
Hi... > have a look through the archives and try to find the "vision document". Hm... I couldnt locate it. :o( But I saw the idmef thing together with some other code... What`s that? For me it seems to be a different way to describe=20 vulnerabilities, so is it a second VulnXML draft? Please tell me some words about status/purpose. > canonicalization. We need to be sure that what we're filtering is in th= e=20 > charset we intend our filters to be handling, otherwise we open up=20 > ourselves to Unicode problems. Wew, I think this is really a tricky / huge problem. As you surely know, nearly all charset de/encoding mechanisms are not trivial. If you really try to canonicalize everything before filtering, I= bet=20 that the only attack an attacker has to try out is a simple overloading. As I already stated, on the protocol / db layer (which should considered to be the most sensitive one) you can assume at least everything to be eight-bit, if not seven (ascii) or even six bit (base64). Thus, the simple canonicalization on that layer would consist of bit mask= ing. The filters on other stages may well need a full-fledged charset=20 canonicalization, but it should only happen comparitively seldom that a user has to provide charset-dependent input (e.g. i18n names / search patterns or the like). > eh. canonicalization before flitering makes this moot. see above. > > 6. the pattern matching should reject a byte sequence immediately if = it > > finds some byte / byte pattern that is not allowed. > that's what the "good chars" stuff is for. Yep, of course... I just wanted to restate that, because there are regexp= =20 parts in the code, which *could* be more inefficient that the goodbytes approach. > I didn't include a "filter stack" in with the tarball, but we will have= one. Yep, just a hint to avoid reduplication of work. > because I haven't coded any java in a year =3D ) > All idiom problems are my own, sorry. Never mind, that's why the remarks came in triple braces. :o) Kind regards Ingo |
|
From: Mark C. <ma...@cu...> - 2002-10-30 04:45:44
|
Alex will resend his code in the morning to the NEW list and will setup the module in CVS. As you suggested a module for each project will be setup. That really is last mail I send to the old list ;-) On Tue, 2002-10-29 at 19:52, Christopher Todd wrote: > Mark, > > OK, just to clarify, Alex's code posting will be re-sent? I only ask > because the last couple of emails have been a bit confusing, and browsing > the new CVS tree suggests that only the OWASP Common Library repository has > been created. > > Speaking of which, how will the new CVS repositories be setup? A single > OWASP repository with a module for each sub-project (filters, webscarab, > guide, etc.)? Just curious how we need to change our CVS client setups. > > Chris > > > -----Original Message----- > > From: owa...@li... > > [mailto:owa...@li...]On Behalf > > Of Mark Curphey > > Sent: Tuesday, October 29, 2002 7:31 PM > > To: owa...@li...; > > owa...@li... > > Subject: [Owasp-input-api-developers] List Migration and 1st > > Implemenation Post > > > > > > The new mailing list for filters is > > > > http://lists.sourceforge.net/lists/listinfo/owasp- > > filters > > > > Please sign up. > > > > You may have noticed that Alex has sent an initial > > implementation in Java to the list for review. It > > didn't make it through as it was too big, Gabe is > > the old list admin (this list) and hes moving house > > and doesnt have admin password handy. > > > > The initial implementaion code will be checked into > > CVS soon. Again the main owasp project site is the > > only one we are going to use now. You've all been > > added. > > > > So to cut a long story short, please sign up to the > > new list, dont use this list anymore (be careful > > when reply to the last post) and look for Alex's > > implementation code post ! > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by:ThinkGeek > > Welcome to geek heaven. > > http://thinkgeek.com/sf > > _______________________________________________ > > Owasp-input-api-developers mailing list > > Owa...@li... > > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > > |
|
From: Christopher T. <ch...@ch...> - 2002-10-30 03:54:52
|
Mark, OK, just to clarify, Alex's code posting will be re-sent? I only ask because the last couple of emails have been a bit confusing, and browsing the new CVS tree suggests that only the OWASP Common Library repository has been created. Speaking of which, how will the new CVS repositories be setup? A single OWASP repository with a module for each sub-project (filters, webscarab, guide, etc.)? Just curious how we need to change our CVS client setups. Chris > -----Original Message----- > From: owa...@li... > [mailto:owa...@li...]On Behalf > Of Mark Curphey > Sent: Tuesday, October 29, 2002 7:31 PM > To: owa...@li...; > owa...@li... > Subject: [Owasp-input-api-developers] List Migration and 1st > Implemenation Post > > > The new mailing list for filters is > > http://lists.sourceforge.net/lists/listinfo/owasp- > filters > > Please sign up. > > You may have noticed that Alex has sent an initial > implementation in Java to the list for review. It > didn't make it through as it was too big, Gabe is > the old list admin (this list) and hes moving house > and doesnt have admin password handy. > > The initial implementaion code will be checked into > CVS soon. Again the main owasp project site is the > only one we are going to use now. You've all been > added. > > So to cut a long story short, please sign up to the > new list, dont use this list anymore (be careful > when reply to the last post) and look for Alex's > implementation code post ! > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers |
|
From: Mark C. <ma...@cu...> - 2002-10-30 00:31:35
|
The new mailing list for filters is http://lists.sourceforge.net/lists/listinfo/owasp- filters Please sign up. You may have noticed that Alex has sent an initial implementation in Java to the list for review. It didn't make it through as it was too big, Gabe is the old list admin (this list) and hes moving house and doesnt have admin password handy. The initial implementaion code will be checked into CVS soon. Again the main owasp project site is the only one we are going to use now. You've all been added. So to cut a long story short, please sign up to the new list, dont use this list anymore (be careful when reply to the last post) and look for Alex's implementation code post ! |
|
From: Alex R. <al...@ne...> - 2002-10-29 23:31:39
|
> 1. On which stage should the filter framework bang the malicious input?
> e.g. is it intended to work on the protocol layer or on some layer
> visible to the user?
have a look through the archives and try to find the "vision document". I=
t=20
describes our boundary-filtering concept. The BaseFilter class is just=20
that, a superclass for filters that will be placed at various boundries.
> 2. If it is intended to work on a low-level layer (that's what I assume=
),
> why do you want to support charsets?
canonicalization. We need to be sure that what we're filtering is in the=20
charset we intend our filters to be handling, otherwise we open up=20
ourselves to Unicode problems.
> 3. If it is really necessary to use charsets for some reason, I would
> propose to use an own impl (at least in java), since the default java
> impl is *way* to slow.
> 4. what I really like is the "goodChars" approach.
> The filter framework should only allow for a predefined set of good
> chars. If the range of chars must be widened, then it would be best to
> define some "character classes" in terms of goodChars arrays and combin=
e
> them with logical or. If you use the "char" in the classical sense, the=
n
> it really is a byte, hence the goodChars are goodBytes
eh. canonicalization before flitering makes this moot.
> 6. the pattern matching should reject a byte sequence immediately if it
> finds some byte / byte pattern that is not allowed.
that's what the "good chars" stuff is for.
> 7. for a proposal of a filter chaining mechanism see
> org.owasp.util.filter (OCL) This framework is *NOT* intended only to
> filter out some patterns, but to mutate the filtered stuff.
> For the filtering project I would propose *ONLY* to reject invalid
> input, since modification is a potential risk (the modification mechani=
sm
> could be abused)
I didn't include a "filter stack" in with the tarball, but we will have o=
ne.
> ((( (only remarks regarding code style)
> 8. Why do you always access members within methods with "this.{member}=
"?
> "this." is the implicit default, hence superfluous and should be
> ommitted. 9. Vector should be considered to be obsolete and not be used
> in favor of ArrayList (as well as Enumeration et al.)
> )))
because I haven't coded any java in a year =3D )
All idiom problems are my own, sorry.
--=20
Alex Russell
al...@Se...
al...@ne...
|
|
From: Ingo S. <in...@in...> - 2002-10-29 23:20:01
|
Hi folks,
I read the filter classes and here are some general remarks/questions:
1. On which stage should the filter framework bang the malicious input?
e.g. is it intended to work on the protocol layer or on some layer visi=
ble
to the user?
2. If it is intended to work on a low-level layer (that's what I assume),=
why
do you want to support charsets?
Nearly any protocol works *without* charset support on a lower level.
If you want a "transparent" filter framework (i.e. without or with ver=
y low
performance loss) then it would be best to spare the charset stuff and=
work
on a byte[] level. If you make the assumption that the charset *IS* se=
ven
bit on the filter stage, then you will make your life much easier and =
more
fun... :o)
3. If it is really necessary to use charsets for some reason, I would pro=
pose
to use an own impl (at least in java), since the default java impl is =
*way*
to slow.
4. what I really like is the "goodChars" approach.
The filter framework should only allow for a predefined set of good ch=
ars.
If the range of chars must be widened, then it would be best to define=
some
"character classes" in terms of goodChars arrays and combine them with
logical or. If you use the "char" in the classical sense, then it reall=
y is
a byte, hence the goodChars are goodBytes
5. the pattern matching should work with raw byte patterns too, i.e. only=
a=20
one-byte-charset should be used. any "charset" stuff can be simulated
with certain "goodBytesPatterns" (e.g. the byte pattern for the German
a-umlaut ä in a given charset, lets say ISO 8859-1)
6. the pattern matching should reject a byte sequence immediately if it f=
inds
some byte / byte pattern that is not allowed.
7. for a proposal of a filter chaining mechanism see=20
org.owasp.util.filter (OCL) This framework is *NOT* intended only to f=
ilter
out some patterns, but to mutate the filtered stuff.
For the filtering project I would propose *ONLY* to reject invalid inpu=
t,
since modification is a potential risk (the modification mechanism coul=
d be
abused)
((( (only remarks regarding code style)
8. Why do you always access members within methods with "this.{member}"?
"this." is the implicit default, hence superfluous and should be ommit=
ted.
9. Vector should be considered to be obsolete and not be used in favor of=
=20
ArrayList (as well as Enumeration et al.)
)))
Kind regards
Ingo
|
|
From: Alex R. <al...@ne...> - 2002-10-29 22:27:26
|
Hey Everyone, I feel like such a slacker any more. It's been WAAY to long to get this o= ut,=20 but attached you'll find a tarball with a working sketch of what I envisi= on=20 the Java API to look/work like. Once we agree that it sucks and fix it,=20 we'll start porting to other languages (starting first with the procedura= l=20 language of choice).=20 Please note that unit tests for the implemented features in the base filt= ers=20 class all pass. If you make changes to the API, please make sure the unit= =20 tests reflect those changes. Notes: This was developed against JDK 1.4 and will not work with earlier Java=20 versions. I anticipate we'll backport at some future point in time agains= t=20 the ORO lib, but not for now. Also, junit is included (hence the obscene size). To run the automated=20 tests, cd into the "java" directory and run: =09java -classpath ".:test:test/junit.jar" junit.swingui.TestRunner & from the list of tests available when you hit the "..." button, choose=20 "TestBaseFilter". Feedback on the design of the API would be most appreciated. --=20 Alex Russell al...@Se... al...@ne... |
|
From: Mark C. <ma...@cu...> - 2002-10-20 06:51:26
|
As you may know we are migrating all projects to one central Sourceforge site (http://www.sourceforge.net/projects/owasp). Under the main site we will have CVS modules for each project and a commons module for shareable and re- useable code. We can also have all of our releases on the one file release page etc I am taking the opportunity to also migrate mailing lists that accumulated under the Webscarab project or seperate sites to their own lists (and simplify names) so webscarab-owasp-testing for instance will now be owasp-testing. Archived mail will remain at geocrawler. I will start migrating users on Sunday to both the new mailing lists and to the new project at Sourceforge and I'll send out a mail to you all when its done. I am also going to start using the task manager for the new sub-projects as well ;-) Cheers Mark |
|
From: Mark C. <ma...@cu...> - 2002-09-24 16:45:24
|
Cool, just making sure things didn't stray like they did again ;-) ---- Gabriel Lawrence <ga...@bu...> wrote: > On Tue, 2002-09-24 at 00:14, Mark Curphey wrote: > > Cheers. > > > > On Tue, 2002-09-24 at 06:27, Chr...@ey... wrote: > > > Mark, > > > > > > I think a version of the Filters API implemented as a Servlet 2.3 Filter > > > could be useful, and I have proposed such an implementation on this list > > > in the past. It is something I will work on, but it may not be consistent > > > with the approach we'll take at the outset, which is to create filters to > > > be used at boundaries. > > > > Just my 2 cents worth but I would suggest you chat the the PM (Gabe) and > > tech lead (Alex) to ensure its in unison with whats been mutually agreed > > on, to ensure inclusion with the project release files. > > The idea that Alex and I had discussed in the past was that of a layered > approach. That being that the first bit of work we do was more nuts and > bolts, and then this could be used to make a more plug and play solution > a la servlet filters... So its not out of sync necessarily with what we > want to do, but what we are really after is making first tools and then > solutions... > > -gabe > > > -- > Gabriel Lawrence > CTO > Butterfly Security <www.butterflysecurity.com> > (408) 333-9948 > ga...@bu... > > > > --------------------------------------------------- ---- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp- input-api-developers > > |
|
From: Gabriel L. <ga...@bu...> - 2002-09-24 16:34:52
|
On Tue, 2002-09-24 at 00:14, Mark Curphey wrote: > Cheers. > > On Tue, 2002-09-24 at 06:27, Chr...@ey... wrote: > > Mark, > > > > I think a version of the Filters API implemented as a Servlet 2.3 Filter > > could be useful, and I have proposed such an implementation on this list > > in the past. It is something I will work on, but it may not be consistent > > with the approach we'll take at the outset, which is to create filters to > > be used at boundaries. > > Just my 2 cents worth but I would suggest you chat the the PM (Gabe) and > tech lead (Alex) to ensure its in unison with whats been mutually agreed > on, to ensure inclusion with the project release files. The idea that Alex and I had discussed in the past was that of a layered approach. That being that the first bit of work we do was more nuts and bolts, and then this could be used to make a more plug and play solution a la servlet filters... So its not out of sync necessarily with what we want to do, but what we are really after is making first tools and then solutions... -gabe -- Gabriel Lawrence CTO Butterfly Security <www.butterflysecurity.com> (408) 333-9948 ga...@bu... |
|
From: Alex R. <al...@ne...> - 2002-09-24 15:14:33
|
On Tuesday 24 September 2002 02:14, Mark Curphey wrote: > Cheers. > > On Tue, 2002-09-24 at 06:27, Chr...@ey... wrote: > > Mark, > > > > I think a version of the Filters API implemented as a Servlet 2.3 Fil= ter > > could be useful, and I have proposed such an implementation on this l= ist > > in the past. It is something I will work on, but it may not be > > consistent with the approach we'll take at the outset, which is to cr= eate > > filters to be used at boundaries. > > Just my 2 cents worth but I would suggest you chat the the PM (Gabe) an= d > tech lead (Alex) to ensure its in unison with whats been mutually agree= d > on, to ensure inclusion with the project release files. I don't think that putting a filter in a Servlet Filter is a bad idea, bu= t i=20 think that we should recognize that it's only going to cover one boundary= =2E=20 That being the case, I'm all for things that make our tools easier to=20 integrate for developers. --=20 Alex Russell al...@Se... al...@ne... |
|
From: Mark C. <ma...@cu...> - 2002-09-24 14:15:07
|
Cheers. On Tue, 2002-09-24 at 06:27, Chr...@ey... wrote: > Mark, > > I think a version of the Filters API implemented as a Servlet 2.3 Filter > could be useful, and I have proposed such an implementation on this list > in the past. It is something I will work on, but it may not be consistent > with the approach we'll take at the outset, which is to create filters to > be used at boundaries. Just my 2 cents worth but I would suggest you chat the the PM (Gabe) and tech lead (Alex) to ensure its in unison with whats been mutually agreed on, to ensure inclusion with the project release files. > > My thoughts about using an InterceptorFilter in this context is that it > would allow web app administrators to take a declarative approach by > mapping request parameters for specific web resources to specific API > filter functions. That would mean scrubbing all the input before the > Servlet sees it, which is a different approach from filtering at > boundaries. > > I apologize for the email format, but I'm sending this from my work email, > as I do not have access to my other mail right now, and Lotus Notes does > some annoying things I don't have any control over (the sig and formatting > as HTML). > > Chris > > > > > > Mark Curphey <ma...@cu...> > Sent by: owa...@li... > 09/22/2002 02:12 AM > Please respond to mark > > > To: owa...@li... > cc: > Subject: [Owasp-input-api-developers] Design Doc > > > I must of become unsubscribed for some reason so > wasn't getting mail...sorry about that one. > > Design doc looks pretty cool. > > Did you decide on a 2nd initial language ? > > I see a great deal of C CGI still around. I saw > Steves PHP web mail app as well which might be cool. > > In Java would the implementation be done using the > Java Filters package (part of Servlet 2.3 spec) ? > > http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/s > ervlet/Filter.html > > I thought this was interesting as well > > http://java.sun.com/blueprints/patterns/InterceptingF > ilter.html > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > > > > ________________________________________________________________________ > The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP |
|
From: <Chr...@ey...> - 2002-09-24 13:19:14
|
Mark,
I think a version of the Filters API implemented as a Servlet 2.3 Filter
could be useful, and I have proposed such an implementation on this list
in the past. It is something I will work on, but it may not be consistent
with the approach we'll take at the outset, which is to create filters to
be used at boundaries.
My thoughts about using an InterceptorFilter in this context is that it
would allow web app administrators to take a declarative approach by
mapping request parameters for specific web resources to specific API
filter functions. That would mean scrubbing all the input before the
Servlet sees it, which is a different approach from filtering at
boundaries.
I apologize for the email format, but I'm sending this from my work email,
as I do not have access to my other mail right now, and Lotus Notes does
some annoying things I don't have any control over (the sig and formatting
as HTML).
Chris
Mark Curphey <ma...@cu...>
Sent by: owa...@li...
09/22/2002 02:12 AM
Please respond to mark
To: owa...@li...
cc:
Subject: [Owasp-input-api-developers] Design Doc
I must of become unsubscribed for some reason so
wasn't getting mail...sorry about that one.
Design doc looks pretty cool.
Did you decide on a 2nd initial language ?
I see a great deal of C CGI still around. I saw
Steves PHP web mail app as well which might be cool.
In Java would the implementation be done using the
Java Filters package (part of Servlet 2.3 spec) ?
http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/s
ervlet/Filter.html
I thought this was interesting as well
http://java.sun.com/blueprints/patterns/InterceptingF
ilter.html
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Owasp-input-api-developers mailing list
Owa...@li...
https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers
________________________________________________________________________
The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP
|
|
From: Gabriel L. <ga...@bu...> - 2002-09-23 21:43:06
|
Howdy, So we should try and get a review of Alex's docs done by friday. If possible people should post any comments or revisions that they think need to be done by Thursday and then we should vote as we did before on the content. Then the idea would be to start parceling out work for us to being rocking and rolling :-) -gabe -- Gabriel Lawrence CTO Butterfly Security <www.butterflysecurity.com> (408) 333-9948 ga...@bu... |
|
From: Mark C. <ma...@cu...> - 2002-09-22 06:12:24
|
I must of become unsubscribed for some reason so wasn't getting mail...sorry about that one. Design doc looks pretty cool. Did you decide on a 2nd initial language ? I see a great deal of C CGI still around. I saw Steves PHP web mail app as well which might be cool. In Java would the implementation be done using the Java Filters package (part of Servlet 2.3 spec) ? http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/s ervlet/Filter.html I thought this was interesting as well http://java.sun.com/blueprints/patterns/InterceptingF ilter.html |
|
From: Steven J. S. <sj...@Ju...> - 2002-09-17 14:42:37
|
On Mon, 16 Sep 2002, Alex Russell wrote: > I can't apologize enough for my tardiness on this. It's really inexcuseable. > I'll do better in the future, or you can replace me at your whim = ) Forty lashes with a wet RJ-45 cable... -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH http://JustTheNetLLC.com/ http://JustThe.net/ 888.480.4NET (4638) Happily owned by a wife, two children, two cockatiels, four Chinese Shar-Pei, a Pug, a Whippet, a rescued Greyhound, and a rescued Chow. :) |
|
From: Alex R. <al...@ne...> - 2002-09-16 08:23:03
|
I can't apologize enough for my tardiness on this. It's really inexcuseab= le.=20 I'll do better in the future, or you can replace me at your whim =3D ) See attached. --=20 Alex Russell al...@Se... al...@ne... |
1 message has been excluded from this view by a project administrator.
