[OWASP-ESAPI] Suggestions from the field...

Kevin W. Wall kevin.w.wall at gmail.com
Mon Dec 21 21:03:55 EST 2009


Jim Manico wrote:
> The getValidFileName method does not validate that the file exists
> within a specified safe parent directory.  This protection is provided
> in the getValidDirectoryPath method.  This seems like a critical
> vulnerability to protect against for filePaths....
> 
> How about adding a new getValidFilePath method that provides this
> protection?
> 
> You like?

Yes, I like, but IIRC, I think this is one of those places where
symbolic links can bite you in the @rse.  I think Java returns the
physical path rather than the logical path.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the OWASP-ESAPI mailing list