peval / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Add method isValidHTTPRequest(HttpServletRequest request) to Validator Interface (1.4.x release ) #263

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
If we add a method to Validator interface to assert whether an 
HttpServletRequest is valid, clients will not have to use Safe request.
This will improve the "pluggability" of ESAPI api since some 
application servers do not like wrapping of HttpServletRequest to Safe request. 
 For example, Oracle Application Server 10G throws exception if the 
HttpServletRequest is wrapped to an ESAPI SafeRequest when it checks whether a 
JSP page needs compilation.

The method signature is below:

boolean isValidHTTPRequest(HttpServletRequest request) throws 
IntrusionException;

DefaultValidator.java already has this method as public.

One can now call something like this from within a filter:
-------------------------------
if (ESAPI.validator().isValidHTTPRequest(httprequest)) {
  chain.doFilter(request, response);
} else {
  response.setContentType("text/html");
  response.getWriter().print("<html>Can't process: Unsafe data send in       request.</html>");
}
-------------------------------

1.4.x release 
Milestone 2.1

Original issue reported on code.google.com by christof...@gmail.com on 22 Feb 2012 at 2:07

Attachments:

GoogleCodeExporter commented 9 years ago
On the code sample above, ESAPI.validator().isValidHTTPRequest(httprequest) can 
be called w/o calling ESAPI.httpUtilities().setCurrentHTTP();

Original comment by christof...@gmail.com on 22 Feb 2012 at 2:08

GoogleCodeExporter commented 9 years ago
Attached is DefaultValidator.java with the new public method.

Original comment by christof...@gmail.com on 22 Feb 2012 at 3:27

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by M.Gelma...@gmail.com on 13 Nov 2014 at 6:21