in esapi-2.0_rc10, in DefaultValidator.getValidDirectoryPath(), towards the
bottom of the method it checks that the canonical form matches the input. to
do this, it gets the canonical path of the File created using the input string.
that canonical path is then validated (and encoded, among other things).
then it checks to see if the validated/encoded canonical path is the same
string as the input string. this seems odd to me because the input path may be
something like "../conf/" (and the canonical path obviously will not).
perhaps getValidDirectoryPath() expects a full directory path for it's input
argument? but that doesn't make much sense (and isn't indicated in the docs).
i think there is a bug in the code, line 398 in DefaultValidator should
read:
if (!canonical.equals(canonicalPath))
instead of:
if (!canonical.equals(input))
that seems to make sense of those three lines of code. is this a candidate for
the next release, possibly?
Original issue reported on code.google.com by manico.james@gmail.com on 9 Dec 2010 at 7:47
Original issue reported on code.google.com by
manico.james@gmail.com
on 9 Dec 2010 at 7:47