Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

Wiki Markup
Many classes, including {{Pattern}} and those that support {{XML}} and {{SQL}} based actions by passing {{String}} arguments to methods, allow inclusion of escape sequences in character and string literals. According to the Java Language Specification \[[JLS 05|AA. Java References#JLS 05]\] section 3.10.6 ""Escape Sequences for Character and String Literals"":

The character and string escape sequences allow for the representation of some nongraphic characters as well as the single quote, double quote, and backslash characters in character literals (§3§3.10.4) and string literals (§3§3.10.5).

In order to correctly use escape sequences pertaining to String literals, an understanding of how they are interpreted is essential. For example, SQL statements written in Java, sometimes require certain special escape characters or sequences (for instance, sequences containing \t, \n, \r). In SQL queries, all escape sequences must be preceded by an extra backslash for correct interpretation.

...

In general, for a particular escape character of the form '\X', the equivalent Java representation is:

Code Block
""\\X""

As an aside, this particular condition gains remarkable importance in automatic exploit signature detection systems and filters that rely on patter matching.

...

Code Block
bgColor#FFCCCC
public class BadSplitter {
  private final String WORDS = ""\b""; // Intend to split on word boundaries

  public String[] splitWords(String input){
    Pattern p = Pattern.compile(WORDS);
    String[] input_array = p.split(input);
    return input_array;
  }
}

...

Code Block
bgColor#ccccff
public class GoodSplitter {
  private final String WORDS = ""\\b""; // Will allow splitting on word boundaries

  public String[] split(String input){
    Pattern p = Pattern.compile(WORDS);
    String[] input_array = p.split(input);
    return input_array;
  }
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] 3.10.6 Escape Sequences for Character and String Literals
\[[API 06|AA. Java References#API 06]\] [Class Pattern|http://java.sun.com/javase/6/docs/api/java/util/regex/Pattern.html] ""Backslashes, escapes, and quoting""
\[[API 06|AA. Java References#API 06]\] [Package java.sql|http://java.sun.com/javase/6/docs/api/java/sql/package-summary.html]

...

IDS06-J. Prevent XPath Injection            49. Miscellaneous (MSC)            MSC32-J. Make sensitive classes noncloneable