[OWASP-ESAPI] SecurityRequestWrapper

Jeff Williams jeff.williams at owasp.org
Thu Dec 3 06:07:39 EST 2009


This is intended to make sure that developers put resources inside web- 
inf where they can't be force browsed to.

--Jeff





On Dec 3, 2009, at 1:46 AM, Chris Schmidt <chrisisbeef at gmail.com> wrote:

> Is there a good reason that the getRequestDispatcher method in this
> wrapper requires the path to begin with WEB-INF?
>
> In my experience, this seems completely counter intuitive and actually
> the opposite of what I would envision the overriden method to do.
>
> I think this should instead be checking for traversal issues and
> making sure the requested path does NOT start with WEB-INF but maybe I
> am missing something?
>
> Sent from my iPwn
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi


More information about the OWASP-ESAPI mailing list