[Esapi-user] SecurityWrapperRequest.getServletPath and root war

Luke Biddell luke.biddell at gmail.com
Sat Apr 10 01:22:19 EDT 2004

I'm wrapping my servlet request using ESAPI. My war is at the root of my
jetty server so my servlet path is just empty "".

I get lots of exceptions stating:

    org.owasp.esapi.errors.ValidationException: HTTP servlet path: : Input

SecurityWrapperRequest.getServletPath appears to have two issues:

1) The regex in ESAPI.properties for Validator.HTTPServletPath doesn't
accommodate an empty path.

I found mention of this in discussions around Issue #46 here

I've used this regex in my config and tested it using QuickRex.


2) The code in SecurityWrapperRequest.getServletPath doesn't allow for a

Looking at the code itself I can't get past the getValidInput check as nulls
(and empty) are not allowed.

    clean = ESAPI.validator().getValidInput("HTTP servlet path: " + path,
path, "HTTPServletPath", 100, false);

My application is working ok as the exception is caught in getServletPath
and the clean string returned. However, I get lots of exceptions in my log.

Should I raise a bug or have I missed something?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20040410/bf592b23/attachment.html 

More information about the Esapi-user mailing list