Bug#745897: closed by Hideki Yamane <henrich at debian.org> (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)
Nobuhiro Ban
ban.nobuhiro at gmail.com
Sun Jun 1 08:23:59 UTC 2014
Hi,
> Thanks for your comment, do you have any fix for it?
Security vendors (LAC Co.Ltd and Mitsui Bussan Secure Directions, Inc.)
suggest /(^|\W)[cC]lass\W/, so I'm personally using naive implementation
of this pattern: Pattern.compile(".*(^|\\W)[cC]lass\\W.*") .
But I'm not IT-security proofessional, so I can't say that this works
perfect, sorry.
Regards,
Nobuhiro
2014-06-01 15:40 GMT+09:00 Hideki Yamane <henrich at debian.or.jp>:
> Hi,
>
> On Sun, 1 Jun 2014 15:03:20 +0900
> Nobuhiro Ban <ban.nobuhiro at gmail.com> wrote:
>> It's very strange regexp. Because we know (P1|.*|P2) == .* .
>> This pattern will match to words other than "class", eg. "fooClass".
>>
>> I think this patch will cause a regression.
>
> Thanks for your comment, do you have any fix for it?
>
>
> --
> Regards,
>
> Hideki Yamane henrich @ debian.or.jp/org
> http://wiki.debian.org/HidekiYamane
More information about the pkg-java-maintainers
mailing list