MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: ASP.NETRegEx Validators fail open? WTF?. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

ASP.NETRegEx Validators fail open? WTF?
by Acidus at 3:26 pm EST, Nov 20, 2007

RegEx Validators are handy for implementing Whitelist input validation so it pays to see what they actually do under the covers.
    try
    {
        Match match = Regex.Match(controlValidationValue,
            this.ValidationExpression);
        return ((match.Success && (match.Index == 0))
            && (match.Length == controlValidationValue.Length));
    }
    catch
    {
        return true;
    }
A final thing that caught my eye was the try ... catch ... block. If the Regex.Match() call throws an exception, the validator returns true indicting the input is safe. This means in event of an error, the validator fails open instead of failing closed! Deciding when applications/appliances/software/hardware/structures should fail open or fail closed is way beyond the scope of this post and the answer is almost always circumstantial based on the individual situations. Quick, should firewalls fail open or closed? Fail open? Well then an attacker knocks out your firewalls and its open seasons on the FTP servers and Samba shares inside your organization. Fail closed? Thats a nifty DoS you built into your network infrastructure now isn't it? when should input validation fail open or fail closed? Again depend, but my gut tells me it should fail closed more often than it fails open.

More web sec people read Memestreams than read the SPI Labs blog. I'm not really sure what to make of that. :-)