[OWASP-ESAPI] SafeRequests within SafeRequests

Stewart Short stewart_short at hotmail.com
Tue May 26 11:41:35 EDT 2009


Thanks Jeff,

 

Filter mappings being used are...

 

<filter-mapping> 
  <filter-name>SafeHTTPFilter</filter-name>
  <url-pattern>/pageflows/*</url-pattern>
 </filter-mapping>
    
 <filter-mapping> 
  <filter-name>ESAPIFilter</filter-name>
  <url-pattern>/pageflows/*</url-pattern>
 </filter-mapping>

 

 

Stewart
 
> From: jeff.williams at owasp.org
> To: lists at dawes.za.net; stewart_short at hotmail.com
> CC: owasp-esapi at lists.owasp.org
> Subject: RE: [OWASP-ESAPI] SafeRequests within SafeRequests
> Date: Tue, 26 May 2009 11:24:18 -0400
> 
> Hi Stewart,
> 
> Thanks for the feedback - totally agree. We updated the main ESAPIFilter to
> handle this before December. However, the SafeHTTPFilter didn't have this
> check. It's been fixed in SVN now. Thanks!
> 
> chain.doFilter(ESAPI.currentRequest(), ESAPI.currentResponse());
> 
> By the way, this shouldn't happen unless you're calling the filter
> repeatedly. I'm curious what is causing this to happen. Do you have the
> dispatcher set up to handle FORWARD?
> 
> <filter-mapping>
> <filter-name>ESAPIFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
> 
> Thanks,
> 
> --Jeff
> 
> > -----Original Message-----
> > From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-
> > bounces at lists.owasp.org] On Behalf Of Rogan Dawes
> > Sent: Tuesday, May 26, 2009 8:24 AM
> > To: Stewart Short
> > Cc: owasp-esapi at lists.owasp.org
> > Subject: Re: [OWASP-ESAPI] SafeRequests within SafeRequests
> > 
> > Stewart Short wrote:
> > >
> > >
> > > Our web applications are based on WebLogic 8.1 page flows which is a
> > > technology built on top of struts. I have recently been looking at
> > > integrating OWASP ESAPI (v1.4) and one problem I noticed is that when
> > > processing involves a chain of actions, i.e. resulting in *.do
> > requests,
> > > you end up with SafeRequests within SafeRequests, with one level for
> > > each action in the chain. Therefore, should the doFilter method in
> > > SafeHTTPFilter only create a new SafeRequest if the request passed in
> > is
> > > not an instance of SafeRequest?
> > 
> > Yes, I think so.
> > 
> > Rogan
> > _______________________________________________
> > OWASP-ESAPI mailing list
> > OWASP-ESAPI at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-esapi
> 

_________________________________________________________________
Share your photos with Windows Live Photos – Free.
http://clk.atdmt.com/UKM/go/134665338/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090526/bcfa8d28/attachment.html 


More information about the OWASP-ESAPI mailing list