[Esapi-user] getValidFile bug (ESAPI 2.0, at least)

Kevin W. Wall kevin.w.wall at gmail.com
Wed Aug 4 20:01:35 EDT 2010

Jim Manico wrote:
> I see a bug in the getValidFile validator function. The error message
> for getValidFileName should not use the ESAPI configured extension
> exclusion list (underlined below), but instead should use the
> allowedExtensions function augment. Fair?

Agreed. And while you're making the change, might I suggest that
you add a few lines of code to treat a null or empty allowedExtensions
list to be treated as using the _default_ file extensions from
ESAPI.properties. E.g., add this

	if ( allowedExtensions == null || allowedExtensions.size() == 0 ) {
		allowedExtensions =

since otherwise someone passing a null or empty list makes no sense and
we should check for that anyway. And note as appropriate in the method's
Javadoc as well.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list