chrisisbeef at gmail.com
Thu Dec 3 10:49:04 EST 2009
I can see a lot of situations where this makes sense, but what to do if you
need to do a server side forward to someplace that is publicly accessable? I
know in our codebase at work, we very frequently need to do this, and a 301
is not acceptable for SEO reasons? It seems like at minimum, this behavior
should be configurable. Perhaps a configuration option for the
SecurityWrapper so that multiple filters could be setup which have different
On Thu, Dec 3, 2009 at 4:07 AM, Jeff Williams <jeff.williams at owasp.org>wrote:
> This is intended to make sure that developers put resources inside web-inf
> where they can't be force browsed to.
> On Dec 3, 2009, at 1:46 AM, Chris Schmidt <chrisisbeef at gmail.com> wrote:
> Is there a good reason that the getRequestDispatcher method in this
>> wrapper requires the path to begin with WEB-INF?
>> In my experience, this seems completely counter intuitive and actually
>> the opposite of what I would envision the overriden method to do.
>> I think this should instead be checking for traversal issues and
>> making sure the requested path does NOT start with WEB-INF but maybe I
>> am missing something?
>> Sent from my iPwn
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI