chrisisbeef at gmail.com
Thu Dec 3 01:46:12 EST 2009
Is there a good reason that the getRequestDispatcher method in this
wrapper requires the path to begin with WEB-INF?
In my experience, this seems completely counter intuitive and actually
the opposite of what I would envision the overriden method to do.
I think this should instead be checking for traversal issues and
making sure the requested path does NOT start with WEB-INF but maybe I
am missing something?
Sent from my iPwn
More information about the OWASP-ESAPI