struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Benedict <>
Subject Re: Validation Security Hole?
Date Mon, 23 Jan 2006 23:33:45 GMT
I guess I should re-read my emails once I type them and spell check them :) Here's another
I read all the emails about this and talked alot about it.

This is my conclusion (and feel to debate!):

I don't see a way to clog this hole in the wall and provide backwards compatbility. The problem
the historical behavior is wrong and there's no to right the wrong without providing the correct
behavior: specify when an action should be cancelable.

If someone upgrades to Struts 1.2.9 or 1.3.x, they should know that they need to set a property
the action that allows the canceling behavior; to allow it by default sets up a situation
in which
hackers can drill right through people's automatic validation. It doesn't matter if you rename
cancel key, it matters that the key turns on the engine.

I think there could be 2 ways of doing this. Have a marker interface called CancelableAction
allows the behavior to be turned on; but ultimately controlled by the action mapping. This
[1] the Java developer to specify the behavior with [2] the configurer to have final say.


Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message