[Esapi-user] getValidFile bug (ESAPI 2.0, at least)

Jim Manico jim.manico at owasp.org
Wed Aug 4 20:07:00 EDT 2010


How about

if ((allowedExtensions == null) || (allowedExtensions.isEmpty())) {
	throw new ValidationException( "Internal Error", "You called
getValidFileName with an empty or null list of allowed Extensions, therefore
no files can be uploaded" );
}

Or 

if ((allowedExtensions == null) || (allowedExtensions.isEmpty())) {
	throw new RuntimeException("You called getValidFileName with an
empty or null list of allowed Extensions, therefore no files can be
uploaded" );
}

?
-----Original Message-----
From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com] 
Sent: Wednesday, August 04, 2010 2:02 PM
To: Jim Manico
Cc: esapi-user at lists.owasp.org; 'ESAPI-Developers'
Subject: Re: [Esapi-user] getValidFile bug (ESAPI 2.0, at least)

Jim Manico wrote:
> I see a bug in the getValidFile validator function. The error message
> for getValidFileName should not use the ESAPI configured extension
> exclusion list (underlined below), but instead should use the
> allowedExtensions function augment. Fair?

Agreed. And while you're making the change, might I suggest that
you add a few lines of code to treat a null or empty allowedExtensions
list to be treated as using the _default_ file extensions from
ESAPI.properties. E.g., add this

	if ( allowedExtensions == null || allowedExtensions.size() == 0 ) {
		allowedExtensions =
		   ESAPI.securityConfiguration().getAllowedFileExtensions();
	}

since otherwise someone passing a null or empty list makes no sense and
we should check for that anyway. And note as appropriate in the method's
Javadoc as well.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME



More information about the Esapi-user mailing list