[Esapi-user] SecurityWrapperRequest.getServletPath and root war

Luke Biddell luke.biddell at gmail.com
Sat Apr 10 01:22:19 EDT 2004


I'm wrapping my servlet request using ESAPI. My war is at the root of my
jetty server so my servlet path is just empty "".

I get lots of exceptions stating:

    org.owasp.esapi.errors.ValidationException: HTTP servlet path: : Input
required...



SecurityWrapperRequest.getServletPath appears to have two issues:


1) The regex in ESAPI.properties for Validator.HTTPServletPath doesn't
accommodate an empty path.


I found mention of this in discussions around Issue #46 here
https://lists.owasp.org/pipermail/esapi-dev/2011-May/001759.html.

I've used this regex in my config and tested it using QuickRex.

    Validator.HTTPServletPath=(|^/[a-zA-Z0-9./_-]*[a-zA-Z0-9._-]$)


2) The code in SecurityWrapperRequest.getServletPath doesn't allow for a
null.


Looking at the code itself I can't get past the getValidInput check as nulls
(and empty) are not allowed.

    clean = ESAPI.validator().getValidInput("HTTP servlet path: " + path,
path, "HTTPServletPath", 100, false);



My application is working ok as the exception is caught in getServletPath
and the clean string returned. However, I get lots of exceptions in my log.


Should I raise a bug or have I missed something?

Luke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20040410/bf592b23/attachment.html 


More information about the Esapi-user mailing list