[OWASP-ESAPI] SafeRequests within SafeRequests
jeff.williams at owasp.org
Tue May 26 11:24:18 EDT 2009
Thanks for the feedback - totally agree. We updated the main ESAPIFilter to
handle this before December. However, the SafeHTTPFilter didn't have this
check. It's been fixed in SVN now. Thanks!
By the way, this shouldn't happen unless you're calling the filter
repeatedly. I'm curious what is causing this to happen. Do you have the
dispatcher set up to handle FORWARD?
> -----Original Message-----
> From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-
> bounces at lists.owasp.org] On Behalf Of Rogan Dawes
> Sent: Tuesday, May 26, 2009 8:24 AM
> To: Stewart Short
> Cc: owasp-esapi at lists.owasp.org
> Subject: Re: [OWASP-ESAPI] SafeRequests within SafeRequests
> Stewart Short wrote:
> > Our web applications are based on WebLogic 8.1 page flows which is a
> > technology built on top of struts. I have recently been looking at
> > integrating OWASP ESAPI (v1.4) and one problem I noticed is that when
> > processing involves a chain of actions, i.e. resulting in *.do
> > you end up with SafeRequests within SafeRequests, with one level for
> > each action in the chain. Therefore, should the doFilter method in
> > SafeHTTPFilter only create a new SafeRequest if the request passed in
> > not an instance of SafeRequest?
> Yes, I think so.
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
More information about the OWASP-ESAPI