ESAPI.validator().isValidHTTPRequest always returns true from ESAPIFilter.doFilter

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Perform an http request with an parameter value that does not match 
whitelist

What is the expected output? What do you see instead?
The call to isValidHTTPRequest is returning true even though the request is 
not valid.

What version of the product are you using? On what operating system?
Latest SVN

Please provide any additional information below.
isValidHTTPRequest is validating the input it gets from the SafeRequest.get 
methods.  The SafeRequest methods are sanitizing the output before 
isValidHTTPRequest attempts to validate.  In this case, the filter doesn't 
catch the bad input and the request is processed normally.

Original issue reported on code.google.com by Calico...@gmail.com on 15 Jan 2009 at 3:59

[GoogleCodeExporter]

I tried to work around this a couple different ways.

First I tried to implement HTTPUtilities, so I could provide isValidHTTPRequest 
with 
the original HTTPServletRequest.  This didn't work because 
HTTPUtilities.getCurrentRequest needs to return a SafeRequest.  So, I extended 
SafeRequest in a way that forwards all calls to the original request, without 
sanitizing the data.  Technically this works, but it's kinda fighting the API.

Two solutions came to mind

1) Add isValidHTTPRequest that takes a request passed in.  The filter can pass 
in the 
original request and bypass the SafeRequest sanitizing code.

2) Change HTTPUtilities.getCurrentRequest to return an HTTPServletRequest.  
This way, 
I can extend HTTPUtilities and not wrap the request in a safe request.

Original comment by Calico...@gmail.com on 15 Jan 2009 at 4:14

[GoogleCodeExporter]

We've implemented option 1 in the new Validator

Original comment by planetlevel on 12 May 2009 at 2:10

• Changed state: Fixed