yaoyi2008 / owasp-esapi-php Goto Github PK

Creating a file named `Codec.php` anywhere in the `include_path` or in the 
working directory can be used to disable all encoding of all codecs:

<code language="php">
class Codec {
    function __construct() {
    }

    function encode($foo, $s) {
        return $s;
    }
}
</code>

The solution is including the file `Codec.php` from the absolute path in the 
ESAPI codecs. I am sending a patch for it.

In method DefaultUser::loginWithPassword() the condition for an empty password 
is not checked properly. Instead of 

if ( ... $password = "")

the correct syntax is

if ( ... $password == "")

with double equality signs.

Please update testFatal, testWarning, etc. to check that the record
actually makes it into the log, with the expected details.

What steps will reproduce the problem?
1. Deny write access to logging directory/
2. Set Logger/LogLevel to OFF in ESAPI.xml
3. Call new ESAPI('ESAPI.xml');


What is the expected output? What do you see instead?

Code generates a PHP Notice:

Warning: fopen(ESAPI_logging_file) [function.fopen]: failed to open stream:
Permission denied in
lib/apache-log4php/trunk/src/main/php/appenders/LoggerAppenderFile.php  on
line 67


What version of the product are you using? On what operating system?

Latest version on Ubuntu Apache 2.2


Please provide any additional information below.

reference/DefaultAuditor.php(591): $appenderLogfile->activateOptions();

ValidationErrorList has not yet been implemented and is needed in order for
groups of validators to be called in a non-blocking fashion and to allow
validation errors to be displayed to application users - as per esapi4java.

ValidationRule implementations will need modification in order for getValid
methods to accept an instance of ValidationErrorList and to append
ValidationExceptions to it.

Let's add getParameter to match the more recent ESAPI for Java versions

SafeFileTest testSafeFile fails to create an instance of SafeFile with $path:

/var/www/vhosts/user.name/httpdocs/esapi-php/test/testresources/ESAPI.xml

on PHP 5.2.0-8+etch16.  Here's the simpletest message:

Exception:
/var/www/vhosts/user.name/httpdocs/esapi-php/test/reference/SafeFileTest.php ->
SafeFileTest -> testSafeFile -> Unexpected exception of type
[ValidationException] with message [Invalid file] in
[/var/www/vhosts/user.name/httpdocs/esapi-php/src/SafeFile.php line 118]

and Auditor entry:

2010-04-14 19:57:45 +01:00 WARNING IntrusionDetector SECURITY-FAILURE File
path
(/var/www/vhosts/user.name/httpdocs/esapi-php/test/testresources/ESAPI.xml)
contains illegal character. exception 'ValidationException' with message
'Invalid file' in
/var/www/vhosts/user.name/httpdocs/esapi-php/src/SafeFile.php:118
| Stack trace:
| #0 /var/www/vhosts/user.name/httpdocs/esapi-php/src/SafeFile.php(70):
SafeFile->_doFileCheck('/var/www/vhosts...')
| #1
/var/www/vhosts/user.name/httpdocs/esapi-php/test/reference/SafeFileTest.php(42)
:
SafeFile->__construct('/var/www/vhosts...')
| #2
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/invoker.php(68): 
SafeFileTest->testSafeFile()
| #3
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/invoker.php(126):
SimpleInvoker->invoke('testSafeFile')
| #4
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/errors.php(49):
SimpleInvokerDecorator->invoke('testSafeFile')
| #5
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/invoker.php(126):
SimpleErrorTrappingInvoker->invoke('testSafeFile')
| #6
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/exceptions.php(43):
SimpleInvokerDecorator->invoke('testSafeFile')
| #7
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/test_case.php(143):
SimpleExceptionTrappingInvoker->invoke('testSafeFile')
| #8
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/test_case.php(585):
SimpleTestCase->run(Object(HtmlReporter))
| #9
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/test_case.php(588):
TestSuite->run(Object(HtmlReporter))
| #10 /var/www/vhosts/user.name/httpdocs/esapi-php/test/AllTests.php(41):
TestSuite->run(Object(HtmlReporter))
| #11 {main}

We can see from the stack trace (and I've manually verified it) that
_doFileCheck is passed a full filepath rather than the file name.  This is
because SafeFile::getFileName returns the full path.
At this moment, I do not know why this happens.  I found PHP Bug 48788
which may or may not be related http://bugs.php.net/bug.php?id=48788

The following features of DefaultLogger have not yet been implemented:

o log a generated logging session ID, or a hashed value of the session ID
o log the identity of the user that caused the event and user's source IP
o hostname or IP where the event occurred

DefaultLogger contains placeholder code for these features based on the
assumption that HTTPUtilities will provide a getRequest() method that
returns a request object from which the required information can be obtained.

Running ESAPI AllTests on Apache 2.2 with PHP 5.2.0-8+etch16 and Safe Mode
enabled causes exceptions and failures with the following test cases:

ExecutorTest
SafeFileTest
ValidationRulesTest
SanitizerTest

It's the Safe Mode restrictions which cause the problems, for example:

Unexpected PHP error [file_put_contents(): SAFE MODE Restriction in effect.
The script whose uid is 10186 is not allowed to access
~/httpdocs/esapi-php/lib/htmlpurifier/HTMLPurifier/DefinitionCache/Serializer/HT
ML
owned by uid 33] severity [E_WARNING] in
[~/httpdocs/esapi-php/lib/htmlpurifier/HTMLPurifier/DefinitionCache/Serializer.p
hp
line 103]

For the full list of failures and exceptions see:
https://lists.owasp.org/pipermail/esapi-php/2010-April/000805.html

-----Original Message-----
From: "Linden Darling" <[email protected]>
Date: Thu, 5 Nov 2009 12:28:23
To: ESAPI for PHP development list<[email protected]>
Subject: Re: [Esapi-php] getHexForNonAlphanumeric  -- redux

Codec normalizes to UTF-32 so that all string comparaisons occur at this
normalized level. After decoding/encoding the string should get converted
back to the encoding that it was originally supplied in.

I've encountered issues along the way regarding mb_detect_encoding
detecting the encoding of single characters, hence the fleshed out logic
surrounding detection of encoding.

There's also an issue if we pass a UTF-32 encoded string in the first
place, currently the code won't detect that and it will double-UTF-32
encode :o Have been considering allowing the User (of ESAPI) to be able to
state the initial encoding so as to avoid such issues...

- Linden

The testConfigChecksum test for the DefaultSecurityConfiguration is not
testing ESAPI per se. It's an example of a best practice, but doesn't e.g.
extract a MD5 value from within ESAPI.xml, and compare that against a
recomputed value. Please remove this test from SecurityConfigurationTest.

The following behaviours were put in place temporarily to assist with Codec
debugging:

DEBUG level events are currently prevented from being logged to file.  I
put this filter in place because of the CodecDebug output which can add
a substantial amount to log files.

CRLF are not stripped from the log entries at the moment because that
would make CodecDebug output difficult to read.

Log entries are being logged to both STDOUT (which means to the browser
too) and to the logfile.

Please add a codecs directory and CodecTest.php stub, just as there is for
example an errors directory and an EnterpriseSecurityExceptionTest.php, in
anticipation of working on the codecs.

The following error on PHP 5.2.0-8+etch16 on Apache on Debian Etch:

Fatal error: Call to a member function attributes() on a non-object in
/var/www/vhosts/user.name/httpdocs/esapi-php/src/reference/DefaultSecurityConfig
uration.php
on line 166

The code that causes this is:

{{{
$_events = $this->_xml->xpath('/esapi-properties/IntrusionDetector/event');

foreach ($_events as $event) {

    $name = (string) $event[0]->attributes()->name;
    $count = (int) $event[0]->attributes()->count;
    $interval = (int) $event[0]->attributes()->interval;
}}}

`$_events` is an array of `SimpleXMLElement` and the error happens when we do:

`SimpleXMLElement[0]->attributes()`

This works:

`SimpleXMLElement->attributes()`

I've tested this on PHP 5.2.0-8+etch16 and PHP 5.2.9 on windows and propose
the attached patch as a fix.
It's worth noting that PHP 5.2.0-8+etch16 is the latest stable package of
PHP 5 for Debian Etch http://packages.debian.org/etch/php5 and seems to be
a popular platform for web hosting companies.

Please update AuthenticationDefaultException and AuthenticationException to
be testAuthenticationDefaultException and testAuthenticationException, to
follow the same naming conventions as the other exception tests.

[deleted issue]

What steps will reproduce the problem?
1.Install collabnet subversion on windows
2.user below commands to checkout PHP ESAPI code
svn checkout http://owasp-esapi-php.googlecode.com/svn/trunk/ 
owasp-esapi-php-read-only

What is the expected output? What do you see instead?
Code present in the PHP ESAPI trunk should be checked out in a local directory

Below error message is shown
svn: OPTIONS of 'http://owasp-esapi-php.googlecode.com/svn/trunk': could not 
connect to server (http://owasp-esapi-php.googlecode.com)

What version of the product are you using? On what operating system?
CollabNet Subversion Client
Windows 7

Please provide any additional information below.

Following testcases fail in my specific environment:
ExecutorTest::testExecuteUnixLegalSystemCommand()
ExecutorTest::testExecuteUnixGoodWorkDirectory()
ExecutorTest::testExecuteUnixChainedParameter()

This is caused by executable to test ('/bin/sh') that here is a symlink to 
'bin/bash'. Therefore in DefaultExecutor::executeSystemCommandLonghand() 
comparison [if (strcmp($resolved, realpath($resolved)) != 0)] is evaluated to 
TRUE and an ExecutorException is thrown.

Having /bin/sh symlinked is a behavior to expect.

And as unit tests are supposed to test correctness/completeness of program code 
and *not* environment specifics, ExecutorTest should be fixed in regards to 
symlink awareness.

The first attempt of SafeRequest isn't very good and rather than address each 
of its defects individually, I believe a complete rewrite is in order.

One of the biggest problems is that the first call to any method which requires 
SERVER globals will cause the entire SERVER array contents to be canonicalised 
which is incredibly expensive and very rarely desirable.

Another issue is that SafeRequest tries to be two things at once: a filter for 
a request and a way to create a request (and used by unit tests) object.  
SafeRequest should probably stick to being a filter only - a way to access 
request related globals in a safe and consistent way.

Safe Request doesn't handle array type request parameters as it should.

What steps will reproduce the problem?
1. $esapi = new ESAPI( "ESAPI/ESAPI.xml" );
2. $encoder = $esapi->getEncoder();

What is the expected output? What do you see instead?
The execution report the following error: 
Strict Standards: Declaration of Base64Codec::encodeCharacter() should be 
compatible with Codec::encodeCharacter($immune, $c) in 
C:\...\codecs\Base64Codec.php on line 130

What version of the product are you using? On what operating system?
ESAPI r834 on Windows 7.

Please provide any additional information below.
PHP version: PHP Version 5.4.0beta2-dev

Looking at:

Exception: C:\Code\ESAPI-PHP-mike.boberski\test/reference/ValidatorTest.php
-> ValidatorTest -> testGetValidDate -> Unexpected exception of type
[ValidationException] with message [DateValidationRule.setDateFormat
requires a non-null DateFormat] in
[C:\Code\ESAPI-PHP-mike.boberski\src\reference\validation\DateValidationRule.php
line 24]

In DateValidationRule.php, nothing is ever done with $this->format, also
date_create returns true/false, it doesn't throw an exception.

Please use date_parse_from_format  ( string $format  , string $date  ) as
the third check in DateValidationRule.php's getValid function, checking the
errors array to determine success/failure.

There should only be one assertion per test. We can double back for
existing code as time/space permits.

What steps will reproduce the problem?
1. Copy ESAPI.php to own file
2. Attempt to include custom file and use

What is the expected output? What do you see instead?
Expect to be able to extend ESAPI class to customize functionality.

What version of the product are you using? On what operating system?
Latest; on linux

Please provide any additional information below.
Base64Codec.php requires ESAPI.php specifically for what appears to be no other 
purpose than to create a Auditor instance local to the constructor (not even as 
a property of the new object).  The $logger variable created is not used.  
Removing this extraneous logger makes extending the ESAPI framework possible.

Please update AccessReferenceMapTest to be named
RandomAccessReferenceMapTest, in a similar fashion as the integer map test
was named.

Problem:
Returning an empty string as the decodedCharacter to Codec::decode from,
for instance, CSSCodec::decodeCharacter, will cause Codec::decode to not
strip the encodedString portion from the original input string.

It is necessary to return an empty string as the decodedCharacter for
situations where the encodedString is to be effectively "ignored" (i.e.
simply stripped from original string, replaced with nothing).

The workaround at the moment manifests within CSSCodec::decodeCharacter
where (seemingly) a non-UTF-32 encoded space is returned to Codec::decode.
If a UTF-32 encoded space is returned as decodedCharacter then the
encodedString portion is removed from original string but replaced by a
space (as it should!).

Would be nice to see UTF-32 encoded empty string handled properly so as to
reinforce the contract to normalize all strings within Codecs to UTF-32. 

Files that need to be addressed for this issue:
Codec.php
CSSCodec.php
(possibly other specific Codec implementations in future)

My IDE stores project specific settings in file .project in project root. 
Contained configuration is IDE (project) specific and not necessary useful  for 
other contributors.

This issue is about to ignore such file in revision control system such that it 
will not accidentially committed.

Please add a test for setResourceDirectory

Please add a sanitize method to the BaseValidationRule

It should be more graceful than throwing an exception when a validation
expression is not found.

What steps will reproduce the problem?

1. goto wiki for owasp esapi php project:
http://code.google.com/p/owasp-esapi-php/wiki/Welcome?tm=6
2. read all available wiki dox there.
3. note java2 as the focus, and not a single line of php in the wiki.


What is the expected output? What do you see instead?

I'd expect php to be the language of focus, not java, else I would likely
goto the owasp esapi jaja project
(http://code.google.com/p/owasp-esapi-java/) for sample code on java.


What version of the product are you using? On what operating system?

current google wiki as of may 19, 2010.



Please provide any additional information below.

Is there anywhere to get php code samples? tnx.

Please add getWorkingDirectory and getAllowedExecutables to the
SecurityConfiguration interface.

Assuming one adds a check for null, the Codec decode function is broken for
the case where encoded characters are longer than one character; pushback
string or equivalent is needed.

What steps will reproduce the problem?
1. check the character 'a' (or any other) with isValidPrintable()  
[DefaultValidator.php]


What is the expected output? 
return value true.

What do you see instead?
getESAPIValidationExpression: Cannot find regular expression: 
^[\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f0-9\x3a\x3b\x3
c\x3d\x3e\x3f\x40A-Z\x5b\x5c\x5d\x5e\x5f\x60a-z\x7b\x7c\x7d\x7e]*$

What version of the product are you using? On what operating system?
I'm using svn revision 823.

Please provide any additional information below.
I chanced isValidPrintable() and added the regex (previously located in 
DefaultValidator.php) to ESAPI.xml with the name 'Printable' - this might be a 
valid fix:

See the attached file for the changes.
If this is a valid fix unused functions that were previously used by  
isValidPrintable() maybe removed.

as an enhancement to the interface in general (i.e. this is not something
in the ESAPI for Java baseline)

What steps will reproduce the problem?
1.Trying to access DefaultUser class in "src/reference" folder


What is the expected output? What do you see instead?
It should initialize the user object. "User.php" file missing from the 
php-esapi repo.

What version of the product are you using? On what operating system?
current version

Please provide any additional information below.
I am trying to implement the src/reference/DefaultUser class and on top of that 
DefaultUser.php there is a reference to "require_once dirname(__FILE__) . 
'/../User.php';" but User.php file not found anywhere in the repo. I will 
really appreciate if someone could plz provide me a copy of complete php-esapi 
project ASAP as I am already in the middle of a project with the deadline 
approaching soon.

Your feedback/help will be really appreciated.

Please add individual assertions for the Exception tests. Also, don't we
really need some type of assertion for the constructor tests? 

See src/reference/validation/DateFormat.php

    function __construct($format=null,$type='MEDIUM') {
        Da
        $this->setformat($format,$type);
    }

Please remove "Da"

[deleted issue]

Please add Randomizer tests for getRandomBoolean, getRandomLong, and
getRandomFilename

What steps will reproduce the problem?

ESAPI Interfaces need porting from J2EE

What is the expected output? What do you see instead?

ESAPI Interfaces ported to PHP

Please use labels and text to provide additional information.

HTMLValidationRule cannot be considered complete until its getValid and
sanitize methods validate and sanitize based on a properly defined
HTMLPurifier policy - much in the same way as esapi4java uses an AntiSamy
policy.

At the moment HTMLPurifier is instantiated with the default policy
(whatever that may be) with the addition of a small number of custom
directives (one of which is Core.CollectErrors - needed in order to
determine whether there were errors).

In order for HTMLValidationRule to work in the same way as esapi4java,
getValid should return the errors generated by HTMLPurifier so that they
can be returned to the user.  I'm thinking of a use case where a web
application allows users to submit content containing (a subset of) HTML
markup and failed validation should present the user with failed validation
feedback e.g. "Sorry, script tags not allowed". getValid will be required
to accept a ValidationErrorList object to which it will addErrors. see
issue 31.

In  MySQLCodec::encodeCharacterMySQL()  you're replacing 0x1a with "\z"
although it should be "\Z" as per MySQL docs:

http://mirror.yandex.ru/mirrors/ftp.mysql.com/doc/refman/5.0/en/string-syntax.ht
ml

osapi-ewasp-java uses "\Z" so it's probably just a typo.

New codec tests reveal that Codec decode needs to check for null being
returned from decodeCharacter

Let's add getParameter to match the more recent ESAPI for Java versions

_assertValidInput first tries to load a regex from the 
DefaultSecurityConfiguration with the name specified by the 'type' parameter. 
If the 'type' parameter supplied is actually a regex (and not the name of a 
defined one) then  _getESAPIValidationExpression will print a message (via 
_logSpecial) because no regex with the supplied name exists.

I think that _assertValidInput should have separate parameters for a named 
regex and an actual regex and should probably throw an InvalidArgumentException 
if both are supplied.

It appears that tests are missing for ValidationErrorList methods. I'm also
wondering if we shouldn't go beyond what the Java team is doing for
validation rules and test them directly. Tests missing it looks like for
isValidSafeHTML, isValidDirectoryPath, getValidDirectoryPath, and a number
of others.

Solve the todo in DefaultEncoder class for with new XMLEntityCodec

// TODO http://code.google.com/p/owasp-esapi-java/issues/detail?id=62

The more involved mb_ approach does not work for Windows, Unix, and percent
codecs, it simply doesn't match on the characters for e.g. the percent
codec encode test case ('"; ls / > /tmp/foo; # ').

need a getAllowedIncludes in SecurityConfiguration as a language-specific
enhancement

What steps will reproduce the problem?
1. set your hostname = 'www.a.foo.com'
2. invoke SafeRequest.getServerName()

What is the expected output? 
No output. It should return the server name successfully.

What do you see instead?
WARNING IntrusionDetector SECURITY-FAILURE UnknownLocalHost:443 
[email protected][ID:295] HTTP Request Server Name validation: 
Invalid input. Input does not conform to the whitelist regex 
(^(?:(?:25[0-5]|2[0-
4][0-9]|[01]?[0-9][0-9]&#
x3f;)\.){3}(?:25[0-5]|2&#
x5b;0-4][0-9]|[01]?[0-9][0-9&#
x5d;?)$|^((?:(?:&#x5
b;0-9a-zA-Z][0-9a-zA-Z\-]{0,61}[0-9a-zA-Z&#x5
d;)\.)*[a-zA-Z]{2,4}|[0-9a-zA-
Z][0-9a-zA-Z\-]{0,61}[0-9a-zA-Z])&#
x24;) (This log message was encoded for HTML) exception 
'ValidationException' with message 'HTTP Re

What version of the product are you using? On what operating system?
r824 on FreeBSD

Please provide any additional information below.
I think the regex for PATTERN_HOST_NAME is not correct because it
is expecting at least 2 chars token seperated by the dot '.'

From 
http://www.ietf.org/rfc/rfc1035.txt

Section 2.3.1 

"They [hostnames] must
start with a letter, end with a letter or digit, and have as interior
characters only letters, digits, and hyphen.  There are also some
restrictions on the length.  Labels must be 63 characters or less."