ValidationException: addHeader: Invalid input

[sowjanya-gade]

Hello I have upgraded ESAPI libraries from 2.1 to 2.5.2 version and I am getting the following error in the new version which was working in the old version.Any help is appreciated.
Invalid input: context=addHeader, type(HTTPHeaderValue)=^[a-zA-Z0-9()-=*.?;,+/:&_ ]$, input=attachment;filename="CstmUpdFile-I_3.3.3
647_20230822213220.ZIP"
org.owasp.esapi.errors.ValidationException: addHeader: Invalid input. Please conform to regex ^[a-zA-Z0-9()-=*.?;,+
/:&_ ]$ with a maximum length of 4096

[kwwall]

Not an answer, but it would be very helpful if you could show us the ESAPI code and the immediate surrounding context that caused this or even better a short JUnit test to reproduce it.

From the looks of it, I'd say you are calling (possibly not directly) , you are calling this addHeader method and line 275 is throwing a ValidationException. However, the regex for the Validation.HTTPHeaderValue of

^[a-zA-Z0-9()-=*.?;,+/:&_ ]$

looks incorrect here as it would only allow a single character for a header value. Here's what it is supposed to be based on our default 2.5.2.0 ESAPI.properties file:

Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$

So I think what is triggering this is that the '*' missing before the ending '$' character on the regex.

[sowjanya-gade]

Thank you for your quick response.
Actually following is the actual error, see the header value.
Also I noticed asterisk from the regex is being removed when I post in this comment, not sure why. That's why i am attaching screenshot of error.

I have the 2.5.2 ESAPI.properties file in the classpath.
Following is the code that makes call to ESAPI api:

	HTTPUtilities hTTPUtilities = ESAPI.httpUtilities();
	hTTPUtilities.setCurrentHTTP(request, response);
	hTTPUtilities.setContentType(response);
	hTTPUtilities.getCurrentResponse().setContentType(CONTENT_TYPE);
    //response.setContentLength(file.length);
    Encoder encoder = ESAPI.encoder();
    String encodeFileName =  encoder.canonicalize("attachment;filename=\"" + fileName + "\"");
    //response.setHeader(CONTENT_DISPOSITION_KEY, "attachment;filename=\"" + fileName + "\"");
    hTTPUtilities.addHeader(CONTENT_DISPOSITION_KEY, encodeFileName);
    FileCopyUtils.copy(file, response.getOutputStream());

[SowjanyaReddyGade]

Bumping it up.
Any solution for this above issue you would recommend ? Thank you!