mway08 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

getValidDirectoryPath needs to verify canonicalization better #191

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
in esapi-2.0_rc10, in DefaultValidator.getValidDirectoryPath(), towards the 
bottom of the method it checks that the canonical form matches the input.  to 
do this, it gets the canonical path of the File created using the input string. 
 that canonical path is then validated (and encoded, among other things).

then it checks to see if the validated/encoded canonical path is the same 
string as the input string.  this seems odd to me because the input path may be 
something like "../conf/" (and the canonical path obviously will not).

perhaps getValidDirectoryPath() expects a full directory path for it's input 
argument? but that doesn't make much sense (and isn't indicated in the docs).

i think there is a bug in the code, line 398 in DefaultValidator should
read:
     if (!canonical.equals(canonicalPath))
instead of:
     if (!canonical.equals(input))

that seems to make sense of those three lines of code.  is this a candidate for 
the next release, possibly?

Original issue reported on code.google.com by manico.james@gmail.com on 9 Dec 2010 at 7:47

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 9 Dec 2010 at 7:53