[Mono-dev] [PATCH] MS/Mono incompatibility in System.Web.HttpRequest

Chris Toshok toshok at ximian.com
Fri Mar 10 09:53:06 EST 2006 

I just read in the Shackow's asp.net 2.0 security book about this,
actually.  He says that the three sequences that result in rejecting a
string are:

     1. a < followed by a !
     2. a < followed by the letters a-z (upper or lowercase)
     3. a & followed by a #

Did your testing reveal that 3 wasn't used?  I was planning to commit a
change that does the above 3 checks today.

Chris


On Mon, 2006-03-06 at 08:59 -0500, Edward C. Eisenbrey wrote:
> Can someone please approve and commit this patch?
> 
> Original issue:
> 
> The input validation that occurs in the CheckString method in
> /mcs/class/System.Web/System.Web/HttpRequest.cs is far more strict than
> Microsoft's.  In this case, I would tend to say that Mono's validation
> is safer, but it might be excessive.  After extensive testing, here is
> the CheckString method that matches MS's version:
>  
> 
> using System.Text.RegularExpressions;
> 
> static bool CheckString (string val)
> {
> 	Regex regex = new Regex("<[a-zA-Z\\!]+");
> 	Match match = regex.Match(val);
> 	return match.Success;
> }
> 
> 
> -----Original Message-----
> From: Edward C. Eisenbrey 
> Sent: Thursday, February 16, 2006 9:13 AM
> To: 'Eyal Alaluf'
> Cc: mono-devel-list at lists.ximian.com
> Subject: RE: [Mono-dev] [PATCH] MS/Mono incompatibility in
> System.Web.HttpRequest
> 
> You're right, that seems to work just as well.  The updated patch file
> is attached.
>  
> 
> -----Original Message-----
> From: Eyal Alaluf [mailto:eyala at mainsoft.com] 
> Sent: Thursday, February 16, 2006 4:29 AM
> To: Edward C. Eisenbrey
> Cc: mono-devel-list at lists.ximian.com
> Subject: Re: [Mono-dev] [PATCH] MS/Mono incompatibility in
> System.Web.HttpRequest
> 
> Hi, Edward.
> 
> Is it not enough to use: "<[a-zA-Z\\!]" as the RegEx instead of
> "<[a-zA-Z\\!]+"?
> It works much faster (since RegEx tries always for the biggest match
> possible) and it
> does exactly the same thing.
> 
> Eyal.
> 
> On Wed, 15 Feb 2006, Edward C. Eisenbrey wrote:
> 
> > Date: Wed, 15 Feb 2006 13:44:50 -0500
> > From: Edward C. Eisenbrey <nede at aliquant.com>
> > To: mono-devel-list at lists.ximian.com
> > Subject: [Mono-dev] [PATCH] MS/Mono incompatibility in
> System.Web.HttpRequest
> > 
> > Attached is the patch including all the changes mentioned.
> >
> >
> > -----Original Message-----
> > From: Joshua Kugler [mailto:joshua.kugler at uaf.edu]
> > Sent: Monday, February 13, 2006 5:12 PM
> > To: mono-devel-list at lists.ximian.com
> > Subject: Re: [Mono-dev] MS/Mono incompatibility in
> > System.Web.HttpRequest
> >
> > On Monday 13 February 2006 12:49, Luca wrote:
> >> Il Mon, Feb 13, 2006 at 11:20:53AM -0900, Joshua Kugler ha scritto:
> >>> On Monday 13 February 2006 11:12, Alex Chudnovsky wrote:
> >>>> Edward C. Eisenbrey wrote:
> >>>>> using System.Text.RegularExpressions;
> >>>>>
> >>>>> static bool CheckString (string val)
> >>>>> {
> >>>>> 	Regex regex = new Regex("<[a-zA-Z\\!]+");
> >>>>> 	Match match = regex.Match(val);
> >>>>> 	return match.Success;
> >>>>> }
> >>>>
> >>>> Pardon my instrusion, but would it not be better performance wise
> > to
> >>>> create static instance of the regexp to avoid doing it every time
> >>>> CheckString called? Ie:
> >>>>
> >>>> static Regex regex = new Regex("<[a-zA-Z\\!]+");
> >>>>
> >>>> static bool CheckString (string val)
> >>>> {
> >>>>
> >>>> 	Match match = regex.Match(val);
> >>>> 	return match.Success;
> >>>> }
> >>>
> >>> Or at least declare it static in the sub (I assume you can do that)?
> >>
> >> Well, no :) The "sub" is a method, so the regex object must be a
> > static
> >> member of the class. Back on the original topic, if that codepath is
> > realy
> >> performance critical you can even compile the Regex:
> >
> > Ah! I missed the part about the method being part of a class.  Yes, a
> > static
> > class member would probably be best.
> >
> > j----- k-----
> >
> > --
> > Joshua Kugler                 PGP Key: http://pgp.mit.edu/
> > CDE System Administrator             ID 0xDB26D7CE
> > http://distance.uaf.edu/
> > _______________________________________________
> > Mono-devel-list mailing list
> > Mono-devel-list at lists.ximian.com
> > http://lists.ximian.com/mailman/listinfo/mono-devel-list
> >
> >
> >
> >
> 
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list

More information about the Mono-devel-list mailing list