What steps will reproduce the problem? 1. Match a string "a" to a subset of the regex: "^(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&&ESAPILEG-37; $#_]*)?$" 2. Match a string "a" to a subset of the regex without a-z range: "^(\\/?)([A-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&&ESAPILEG-37; $#_]*)?$" 3. Match a string "a" to a subset of the regex without "amp;" substring: "^(\\/?)([A-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&&ESAPILEG-37; $#_]*)?$" What is the expected output? What do you see instead? 1. "a" matches 2. "a" matches, but expected not to match, if & is a reference to ampersand 3. "a" does not match
Conclusion: & is a simple character class, not a reference to ampersand. What version of the product are you using? On what operating system? 2.1.0 Win7 Does this issue affect only a specified browser or set of browsers? - Please provide any additional information below. Java 1.6
From anton.sh...@gmail.com on March 17, 2014 16:17:40
What steps will reproduce the problem? 1. Match a string "a" to a subset of the regex: "^(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&&ESAPILEG-37;
$#_]*)?$"
2. Match a string "a" to a subset of the regex without a-z range: "^(\\/?)([A-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&&ESAPILEG-37;
$#_]*)?$"
3. Match a string "a" to a subset of the regex without "amp;" substring: "^(\\/?)([A-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&&ESAPILEG-37;
$#_]*)?$" What is the expected output? What do you see instead? 1. "a" matches
2. "a" matches, but expected not to match, if & is a reference to ampersand
3. "a" does not match
Conclusion: & is a simple character class, not a reference to ampersand. What version of the product are you using? On what operating system? 2.1.0 Win7 Does this issue affect only a specified browser or set of browsers? - Please provide any additional information below. Java 1.6
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=322