[Esapi-dev] SecurityWrapperRequest.getPathInfo() should not be a required field
augustd
augustd at codemagi.com
Mon Sep 13 17:45:48 EDT 2010
SecurityWrapperRequest.getPathInfo() should not be a required field. The
official Java API docs state that this extra information could potentially
be null and therefore the field should not be required.
http://download.oracle.com/javaee/5/api/javax/servlet/http/HttpServletRequest.html#getPathInfo%28%29
I propose changing line 452 of org.owasp.esapi.filters.
SecurityWrapperRequest from:
clean = ESAPI.validator().getValidInput("HTTP path: " +
path, path, "HTTPPath", 150, false);
to:
clean = ESAPI.validator().getValidInput("HTTP path: " +
path, path, "HTTPPath", 150, true);
Regards,
August
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100913/56530659/attachment.html
More information about the Esapi-dev
mailing list