[Esapi-dev] SecurityWrapperRequest.setAllowableContentRoot()

Jim Manico jim.manico at owasp.org
Tue Sep 28 18:48:53 EDT 2010 

Jeff+++++++++++

 

From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com] 
Sent: Tuesday, September 28, 2010 12:45 PM
To: Jim Manico; augustd; ESAPI-Developers
Subject: RE: [Esapi-dev] SecurityWrapperRequest.setAllowableContentRoot()

 

Hmmm. this is an operator precedence screwup.  String concatenation has
precedence over the ternary operator.  How is it with parentheses.

 

this.allowableContentRoot = (allowableContentRoot.startsWith( "/" ) ? "" :
"/" ) + allowableContentRoot;

might just be simpler without the ternary operator.

 

if ( !allowableContentRoot.startsWith( "/" ) ) { 

allowableContentRoot = "/" + allowableContentRoot;

}

 

 

--Jeff

 

Jeff Williams, CEO

Aspect Security

work: 410-707-1487

main: 301-604-4882

 

From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Monday, September 27, 2010 5:48 PM
To: 'augustd'; 'ESAPI-Developers'
Subject: Re: [Esapi-dev] SecurityWrapperRequest.setAllowableContentRoot()

 

This looks serious, can other folks chime in?

 

I added this to our issue tracker here.

 

http://code.google.com/p/owasp-esapi-java/issues/detail?id=150 

 

- Jim

 

From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of augustd
Sent: Monday, September 27, 2010 8:20 AM
To: ESAPI-Developers
Subject: [Esapi-dev] SecurityWrapperRequest.setAllowableContentRoot()

 

I think I found a problem with the setAllowableContentRoot method in
org.owasp.esapi.filters.SecurityWrapperRequest: 

    public void setAllowableContentRoot(String allowableContentRoot) {
        this.allowableContentRoot = allowableContentRoot.startsWith( "/" ) ?
"" : "/" + allowableContentRoot;
    }

This looks to me like if you try to use a path starting with "/" it will set
the allowable root to the empty String "". Shouldn't this be: 

        this.allowableContentRoot = allowableContentRoot.startsWith( "/" ) ?
allowableContentRoot : "/" + allowableContentRoot;

The primary purpose of allowableContentRoot is to make sure that a
RequestDispatcher returned from getRequestDispatcher can only return
resources under in the WEB-INF directory. However, if you were to attempt to
set allowableContentRoot using an absolute path of "/WEB-INF/jsp" for
example, it would essentially remove that protection. 

Is this an error, of is there a specific reason why this method would 'blank
out' absolute paths? 

-August 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100928/871d0366/attachment.html

More information about the Esapi-dev mailing list