demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

SecurityWrapperRequest.setAllowableContentRoot() protection evasion #150

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
I think I found a problem with the setAllowableContentRoot method in 
org.owasp.esapi.filters.SecurityWrapperRequest: 

    public void setAllowableContentRoot(String allowableContentRoot) {
        this.allowableContentRoot = allowableContentRoot.startsWith( "/" ) ? "" : "/" + allowableContentRoot;
    }

This looks to me like if you try to use a path starting with "/" it will set 
the allowable root to the empty String "". Shouldn't this be: 

        this.allowableContentRoot = allowableContentRoot.startsWith( "/" ) ? allowableContentRoot : "/" + allowableContentRoot;

The primary purpose of allowableContentRoot is to make sure that a 
RequestDispatcher returned from getRequestDispatcher can only return resources 
under in the WEB-INF directory. However, if you were to attempt to set 
allowableContentRoot using an absolute path of "/WEB-INF/jsp" for example, it 
would essentially remove that protection. 

Is this an error, of is there a specific reason why this method would 'blank 
out' absolute paths? 

-August 

Original issue reported on code.google.com by manico.james@gmail.com on 27 Sep 2010 at 9:47

GoogleCodeExporter commented 8 years ago
Patch attached and ready to checkin. I ran a clean build and all tests pass: 

Tests run: 490, Failures: 0, Errors: 0, Skipped: 0

Original comment by augu...@gmail.com on 28 Sep 2010 at 7:38

Attachments:

GoogleCodeExporter commented 8 years ago
Changes committed to SVN. 

Original comment by augu...@gmail.com on 28 Sep 2010 at 8:36

GoogleCodeExporter commented 8 years ago
Issue 132 has been merged into this issue.

Original comment by augu...@gmail.com on 4 Nov 2010 at 2:25