[Esapi-dev] SecurityWrapperRequest.getPathInfo() should not be a required field

augustd augustd at codemagi.com
Mon Sep 13 17:45:48 EDT 2010


SecurityWrapperRequest.getPathInfo() should not be a required field. The
official Java API docs state that this extra information could potentially
be null and therefore the field should not be required.

http://download.oracle.com/javaee/5/api/javax/servlet/http/HttpServletRequest.html#getPathInfo%28%29

I propose changing line 452 of org.owasp.esapi.filters.
SecurityWrapperRequest from:

            clean = ESAPI.validator().getValidInput("HTTP path: " +
path, path, "HTTPPath", 150, false);

to:

            clean = ESAPI.validator().getValidInput("HTTP path: " +
path, path, "HTTPPath", 150, true);

Regards,
August
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100913/56530659/attachment.html 


More information about the Esapi-dev mailing list