[OWASP-ESAPI] Suggestions from the field...

Kevin W. Wall kevin.w.wall at gmail.com
Mon Dec 21 21:03:55 EST 2009

Jim Manico wrote:
> The getValidFileName method does not validate that the file exists
> within a specified safe parent directory.  This protection is provided
> in the getValidDirectoryPath method.  This seems like a critical
> vulnerability to protect against for filePaths....
> How about adding a new getValidFilePath method that provides this
> protection?
> You like?

Yes, I like, but IIRC, I think this is one of those places where
symbolic links can bite you in the @rse.  I think Java returns the
physical path rather than the logical path.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the OWASP-ESAPI mailing list