jeff.williams at owasp.org
Thu Dec 3 06:07:39 EST 2009
This is intended to make sure that developers put resources inside web-
inf where they can't be force browsed to.
On Dec 3, 2009, at 1:46 AM, Chris Schmidt <chrisisbeef at gmail.com> wrote:
> Is there a good reason that the getRequestDispatcher method in this
> wrapper requires the path to begin with WEB-INF?
> In my experience, this seems completely counter intuitive and actually
> the opposite of what I would envision the overriden method to do.
> I think this should instead be checking for traversal issues and
> making sure the requested path does NOT start with WEB-INF but maybe I
> am missing something?
> Sent from my iPwn
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
More information about the OWASP-ESAPI