[OWASP-ESAPI] SecurityRequestWrapper

Chris Schmidt chrisisbeef at gmail.com
Thu Dec 3 01:46:12 EST 2009

Is there a good reason that the getRequestDispatcher method in this  
wrapper requires the path to begin with WEB-INF?

In my experience, this seems completely counter intuitive and actually  
the opposite of what I would envision the overriden method to do.

I think this should instead be checking for traversal issues and  
making sure the requested path does NOT start with WEB-INF but maybe I  
am missing something?

Sent from my iPwn

More information about the OWASP-ESAPI mailing list