svedec Posted July 25, 2012 Share Posted July 25, 2012 When I want to make a domain with a derived table, apparently, I can't use the greater-than sign for date comparison.The database is Informix IDS, jasperserver is version 4.5.0This query works :select * from client where enddate < CURRENTThis one doesn't :select * from client where enddate > CURRENTAm I missing something here, or is this just foolish ?I found this in the errorlog :2012-07-25 10:53:51,126 WARN IntrusionDetector,TP-Processor3:449 - [sECURITY FAILURE Anonymous:null@unknown -> /ExampleApplication/IntrusionDetector] Invalid input: context=createdQuerySql-Run_Report_context, type(NoTag)=^[^<][^>]*$, input=select * from client where enddate > CURRENTorg.owasp.esapi.errors.ValidationException: createdQuerySql-Run_Report_context: Invalid input. Please conform to regex ^[^<][^>]*$ with a maximum length of 5000 Post Edited by svedec at 07/25/2012 08:56 Link to comment Share on other sites More sharing options...
svedec Posted July 25, 2012 Author Share Posted July 25, 2012 bug report ? Link to comment Share on other sites More sharing options...
oesina Posted July 25, 2012 Share Posted July 25, 2012 Hi svedec,Because of spam attack protection, we have activated input validation by default.You can either switch it off completely n jasperserver-pro\WEB-INF\classes\esapi as # Turns request parameter validation on or off.security.validation.input.on=false# Turns CSRF attack guard on or off.security.validation.csrf.on=false# Turns sql validation on or off.security.validation.sql.on=false or modify rules inside security.properties and validation.properties. By default its 5000 chars alpha-numeric.Regards,Olga Link to comment Share on other sites More sharing options...
svedec Posted July 25, 2012 Author Share Posted July 25, 2012 Hi, and thanks for your quick reply. I'm not sure of the 5000char limit is exactly what's wrong. I think the greater-than sign messes up the code.I'll give it a try and leave feedback. Link to comment Share on other sites More sharing options...
svedec Posted July 25, 2012 Author Share Posted July 25, 2012 Thanks again, it seems to be working now. I wonder how this is tied to spam protection, since I have to log in on my own server ? Link to comment Share on other sites More sharing options...
oesina Posted July 25, 2012 Share Posted July 25, 2012 Thanks for update!The problem was alpha-numeric, not the 5000 chars.Well, some robots master to sniff out user/password, and then can push code that pretends to be queries, but damage application server or data behind.Read more at https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29Post Edited by oesina at 07/25/2012 09:22 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now