struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Benedict <paul4chris...@yahoo.com>
Subject Re: Validation Security Hole?
Date Mon, 23 Jan 2006 23:33:45 GMT
I guess I should re-read my emails once I type them and spell check them :) Here's another
shot:
======================
I read all the emails about this and talked alot about it.

This is my conclusion (and feel to debate!):

I don't see a way to clog this hole in the wall and provide backwards compatbility. The problem
is
the historical behavior is wrong and there's no to right the wrong without providing the correct
behavior: specify when an action should be cancelable.

If someone upgrades to Struts 1.2.9 or 1.3.x, they should know that they need to set a property
on
the action that allows the canceling behavior; to allow it by default sets up a situation
in which
hackers can drill right through people's automatic validation. It doesn't matter if you rename
the
cancel key, it matters that the key turns on the engine.

I think there could be 2 ways of doing this. Have a marker interface called CancelableAction
which
allows the behavior to be turned on; but ultimately controlled by the action mapping. This
allows
[1] the Java developer to specify the behavior with [2] the configurer to have final say.

Paul

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message