[Esapi-user] getValidFile bug (ESAPI 2.0, at least)

Jim Manico jim.manico at owasp.org
Wed Aug 4 20:02:39 EDT 2010


  I'd rather throw a Runtime. Acceptable?
- Jim

> Jim Manico wrote:
>> I see a bug in the getValidFile validator function. The error message
>> for getValidFileName should not use the ESAPI configured extension
>> exclusion list (underlined below), but instead should use the
>> allowedExtensions function augment. Fair?
> Agreed. And while you're making the change, might I suggest that
> you add a few lines of code to treat a null or empty allowedExtensions
> list to be treated as using the _default_ file extensions from
> ESAPI.properties. E.g., add this
>
> 	if ( allowedExtensions == null || allowedExtensions.size() == 0 ) {
> 		allowedExtensions =
> 		   ESAPI.securityConfiguration().getAllowedFileExtensions();
> 	}
>
> since otherwise someone passing a null or empty list makes no sense and
> we should check for that anyway. And note as appropriate in the method's
> Javadoc as well.
>
> -kevin



More information about the Esapi-user mailing list