From fagu...@gmail.com on February 14, 2013 05:48:25

What steps will reproduce the problem? 1.Instantiate a DateFormat with "dd/MM/yyyy" pattern
2.Call isValidDate method with "01/01/2AAA" as date What is the expected output? What do you see instead? I expected to get a false as result, but i got a true What version of the product are you using? On what operating system? Version 2.0.1 tested on Windows XP and Solaris both of them with java 1.6.0_33 Does this issue affect only a specified browser or set of browsers? No Please provide any additional information below. If I change the pattern to any other that don´t have "yyyy" at the end of the pattern i get a false as it´s expected.

Some examples:

DateFormat df=new SimpleDateFormat("dd/MM/yyyy");
df.setLenient(true);
System.out.println("Result:" + instance.isValidDate("Pruebas-", "01/01/2aaa", df, false));

Result:true

df=new SimpleDateFormat("yyyy/dd/MM");
df.setLenient(true);
System.out.println("Result:" + instance.isValidDate("Pruebas-", "2aaa/01/01", df, false));

Result:false

df=new SimpleDateFormat("dd/yyyy/MM");
df.setLenient(true);
System.out.println("Result:" + instance.isValidDate("Pruebas-", "01/2012'SELECT * FROM user_table'/01", df, false));

Result:false

df=new SimpleDateFormat("dd/MM/yyyy");
df.setLenient(true);
System.out.println("Result:" + instance.isValidDate("Pruebas-", "01/01/2012'SELECT * FROM user_table'", df, false));

Result:true

df=new SimpleDateFormat("dd/yyyy/MM");
df.setLenient(true);
System.out.println("Result:" + instance.isValidDate("Pruebas-", "01/2aaa/01", df, false));

Result:false

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=293