[Esapi-user] getValidFile bug (ESAPI 2.0, at least)

Kevin W. Wall kevin.w.wall at gmail.com
Wed Aug 4 20:01:35 EDT 2010


Jim Manico wrote:
> I see a bug in the getValidFile validator function. The error message
> for getValidFileName should not use the ESAPI configured extension
> exclusion list (underlined below), but instead should use the
> allowedExtensions function augment. Fair?

Agreed. And while you're making the change, might I suggest that
you add a few lines of code to treat a null or empty allowedExtensions
list to be treated as using the _default_ file extensions from
ESAPI.properties. E.g., add this

	if ( allowedExtensions == null || allowedExtensions.size() == 0 ) {
		allowedExtensions =
		   ESAPI.securityConfiguration().getAllowedFileExtensions();
	}

since otherwise someone passing a null or empty list makes no sense and
we should check for that anyway. And note as appropriate in the method's
Javadoc as well.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list