[Esapi-user] Path Manipulation Validation

Springett Steven sspringett at us.axway.com
Mon Nov 8 15:50:43 EST 2010


Hello all,

I'm attempting to remove many path manipulation vulnerabilities in some code.

I've been playing with DefaultValidator and the getValidFileName and getValidDirectoryPath methods and need some clarity.

If I'm attempting to open a file, then it is my assumption that the getValidFileName should be used. Is this assumption correct? When is a good time to use getValidDirectoryPath?

Also, I'm looking at the Javadoc for getValidDirectoryPath and there's a parameter missing from the doc. Specifically, 'java.io.File parent'. What is parent suppose to be? I'm a little confused. Is this the parent directory of the directory I'm suppose to be checking? If so, then that doesn't make a whole lot of sense, but perhaps I do not understand the reasoning.

Any clarification would be extremely helpful.

Thanks,
Steve 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20101108/27f1c3b1/attachment.html 


More information about the Esapi-user mailing list