struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicolas De Loof <nicolas.del...@capgemini.com>
Subject Re: Validation Security Hole?
Date Mon, 23 Jan 2006 16:53:24 GMT

 From what I've understood from your "mapping-declarated cancel 
parameter", it require every cancelable mapping to declare it's cancel 
param, so it is supposed that the action correctly handles canceled 
request.

In this case, changing cancel key has no effect on security, as 
canceling is correctly handled ! You may just add a boolean property 
"accept-cancel" and make it required for struts cancel mecanism to be used.

Nico.

Frank W. Zammetti a écrit :

>Joe, I think Rick is correct, I too do not see how this will solve the
>problem.
>
>Recall that the way it works today, you can bypass validate() being fired
>for *any* Action, not just those which are designed to handle a cancel
>button.  This is where the problem arises... depending on what is done in
>validate() (whether we as architects find it appropriate or not) can cause
>problems in execute() and beyond, potentially security problems.
>
>Of course, perhaps Rick and I are *both* not seeing it :)
>
>  
>

This message contains information that may be privileged or confidential and is the property
of the Capgemini Group. It is intended only for the person to whom it is addressed. If you
are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,
 distribute, or use this message or any part thereof. If you receive this  message in error,
please notify the sender immediately and delete all  copies of this message.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message