SecurityWrapperRequest.setAllowableContentRoot() protection evasion

[GoogleCodeExporter]

I think I found a problem with the setAllowableContentRoot method in 
org.owasp.esapi.filters.SecurityWrapperRequest: 

    public void setAllowableContentRoot(String allowableContentRoot) {
        this.allowableContentRoot = allowableContentRoot.startsWith( "/" ) ? "" : "/" + allowableContentRoot;
    }

This looks to me like if you try to use a path starting with "/" it will set 
the allowable root to the empty String "". Shouldn't this be: 

        this.allowableContentRoot = allowableContentRoot.startsWith( "/" ) ? allowableContentRoot : "/" + allowableContentRoot;

The primary purpose of allowableContentRoot is to make sure that a 
RequestDispatcher returned from getRequestDispatcher can only return resources 
under in the WEB-INF directory. However, if you were to attempt to set 
allowableContentRoot using an absolute path of "/WEB-INF/jsp" for example, it 
would essentially remove that protection. 

Is this an error, of is there a specific reason why this method would 'blank 
out' absolute paths? 

-August 

Original issue reported on code.google.com by manico.james@gmail.com on 27 Sep 2010 at 9:47

[GoogleCodeExporter]

Patch attached and ready to checkin. I ran a clean build and all tests pass: 

Tests run: 490, Failures: 0, Errors: 0, Skipped: 0

Original comment by augu...@gmail.com on 28 Sep 2010 at 7:38

• Changed state: Fixed

Attachments:

• [issue 150.diff](https://storage.googleapis.com/google-code-attachments/owasp-esapi-java/issue-150/comment-1/issue 150.diff)

[GoogleCodeExporter]

Changes committed to SVN. 

Original comment by augu...@gmail.com on 28 Sep 2010 at 8:36

[GoogleCodeExporter]

Issue 132 has been merged into this issue.

Original comment by augu...@gmail.com on 4 Nov 2010 at 2:25