Hello I have upgraded ESAPI libraries from 2.1 to 2.5.2 version and I am getting the following error in the new version which was working in the old version.Any help is appreciated. Invalid input: context=addHeader, type(HTTPHeaderValue)=^[a-zA-Z0-9()-=*.?;,+/:&_ ]$, input=attachment;filename="CstmUpdFile-I_3.3.3 647_20230822213220.ZIP" org.owasp.esapi.errors.ValidationException: addHeader: Invalid input. Please conform to regex ^[a-zA-Z0-9()-=*.?;,+/:&_ ]$ with a maximum length of 4096 at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:140)
Invalid input: context=addHeader, type(HTTPHeaderValue)=^[a-zA-Z0-9()-=*.?;,+/:&_ ]$, input=attachment;filename="CstmUpdFile-I_3.3.3 647_20230822213220.ZIP" org.owasp.esapi.errors.ValidationException: addHeader: Invalid input. Please conform to regex ^[a-zA-Z0-9()-=*.?;,+/:&_ ]$ with a maximum length of 4096 at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:140)
After fixing a small bug in the regex:
escape the equals sign to get past that.
^[a-zA-Z0-9()\\\-=\\*\\.\\?;,+\\/:&_ ]*$The match fails because your input has quotes.
attachment;filename="CstmUpdFile-I_3.3.3 647_20230822213220.ZIP"The regex clearly doesn't match. See debug output:
I did a diff between the regex 2.1 to present day and there has been no change to the regex.
You DID find a bug in our regex, so THAT is good, but I would say that THAT particular input working in 2.1 seems impossible. Any input with a quotation mark should fail here. I just tried an input of a single
\"and it fails. I would suggest maybe percent-escaping any input that needs to be sent in an HTTP header.