Uncategorized

Best Practices – Review before releasing

Alvaro de AndresLeave a comment

I’ve already said before (Certificate-based SSL Documentum 7.1 with xCP 2.1) that EMC (any company for this matter) should be more careful when releasing products with the comments left in files and/or the scripts done for Windows environments that doesn’t work on *nix even if they are supposed to. This doesn’t break anything, but it really does look bad. Well, here we go again:

If you’re using Webtop 6.8 (by the way, this is still not fixed: sortablelistbox bug) you’d probably noticed the ESAPI messages thrown in your application server log when webtop is deployed OOTB or following the deployment guide:

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in ‘org.owasp.esapi.resources’ directory or file not readable: C:\blablablablablablabla\Tomcat v7.0 Server at localhost-config\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in ‘user.home’ (C:\Users\blablablablablablabla) directory: C:\Users\blablablablablablabla\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from ‘/ (root)’ using current thread context class loader!
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in ‘org.owasp.esapi.resources’ directory or file not readable: C:\blablablablablablabla\Tomcat v7.0 Server at localhost-config\validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
Not found in ‘user.home’ (C:\Users\blablablablablablabla) directory: C:\Users\blablablablablablabla\esapi\validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
SUCCESSFULLY LOADED validation.properties via the CLASSPATH from ‘/ (root)’ using current thread context class loader!

So I decided to investigate this to see if it can be removed. Long story sort:

You can add “-Dorg.owasp.esapi.resources=”C:\blablabla\webtop\WEB-INF\classes” to the JVM parameters to reduce the messages thrown to:

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Found in ‘org.owasp.esapi.resources’ directory: C:\blablabla\webtop\WEB-INF\classes\ESAPI.properties
Loaded ‘ESAPI.properties’ properties file
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Found in ‘org.owasp.esapi.resources’ directory: C:\blablabla\webtop\WEB-INF\classes\validation.properties
Loaded ‘validation.properties’ properties file

but you can’t get rid of the messages as those are thrown with System.out.println (ouch)

However, this “investigation” led me to webtop/WEB-INF/classes/ESAPI.properties. This file is the ESAPI configuration file where we can find some funny/sad comments:

# Default file upload location (remember to escape backslashes with \\)
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
# let this default to java.io.tmpdir for testing
#HttpUtilities.UploadTempDir=C:\\temp

Yes, let’s default this to java.io.tmpdir… in next version maybe…

# ESAPI Executor
# CHECKME – Not sure what this is used for, but surely it should be made OS independent.
Executor.WorkingDirectory=C:\\Windows\\Temp
Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe

Umm, not sure what it is used for? Let’s check the original bundled ESAPI.properties:

# ESAPI Executor
# CHECKME – This should be made OS independent. Don’t use unsafe defaults.
# # Examples only — do NOT blindly copy!
# For Windows:
# Executor.WorkingDirectory=C:\\Windows\\Temp
# Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe
# For *nux, MacOS:
# Executor.WorkingDirectory=/tmp
# Executor.ApprovedExecutables=/bin/bash
Executor.WorkingDirectory=
Executor.ApprovedExecutables=

Well, we still don’t know what this is used for but remember, do NOT blindly copy!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.