Return-Path: Delivered-To: apmail-struts-dev-archive@www.apache.org Received: (qmail 51669 invoked from network); 23 Jan 2006 23:34:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 23 Jan 2006 23:34:15 -0000 Received: (qmail 60752 invoked by uid 500); 23 Jan 2006 23:34:08 -0000 Delivered-To: apmail-struts-dev-archive@struts.apache.org Received: (qmail 60694 invoked by uid 500); 23 Jan 2006 23:34:07 -0000 Mailing-List: contact dev-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Developers List" Reply-To: "Struts Developers List" Delivered-To: mailing list dev@struts.apache.org Received: (qmail 60673 invoked by uid 99); 23 Jan 2006 23:34:07 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Jan 2006 15:34:07 -0800 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [68.142.207.230] (HELO web32603.mail.mud.yahoo.com) (68.142.207.230) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 23 Jan 2006 15:34:06 -0800 Received: (qmail 79770 invoked by uid 60001); 23 Jan 2006 23:33:45 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=y+mqf2n6IjCfDDD//vYVRdcewo+xY6OTCNuHs1c5BIzvyLj60gycYbaPRuQGnRUk8cRVlYPFXZSNGzXJqJOJdOQNR6IE5rYpGsuvOi1DfWJ+Oz+gFiPh28c6lyc7XKM0YgQ7Crnl+GRbA24SzOZE+fj5wTSgJQr0yDvurKLdfAs= ; Message-ID: <20060123233345.79768.qmail@web32603.mail.mud.yahoo.com> Received: from [65.30.71.168] by web32603.mail.mud.yahoo.com via HTTP; Mon, 23 Jan 2006 15:33:45 PST Date: Mon, 23 Jan 2006 15:33:45 -0800 (PST) From: Paul Benedict Subject: Re: Validation Security Hole? To: Struts Developers List Cc: Struts Developers List In-Reply-To: <20060123232826.5803.qmail@web32612.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N I guess I should re-read my emails once I type them and spell check them :) Here's another shot: ====================== I read all the emails about this and talked alot about it. This is my conclusion (and feel to debate!): I don't see a way to clog this hole in the wall and provide backwards compatbility. The problem is the historical behavior is wrong and there's no to right the wrong without providing the correct behavior: specify when an action should be cancelable. If someone upgrades to Struts 1.2.9 or 1.3.x, they should know that they need to set a property on the action that allows the canceling behavior; to allow it by default sets up a situation in which hackers can drill right through people's automatic validation. It doesn't matter if you rename the cancel key, it matters that the key turns on the engine. I think there could be 2 ways of doing this. Have a marker interface called CancelableAction which allows the behavior to be turned on; but ultimately controlled by the action mapping. This allows [1] the Java developer to specify the behavior with [2] the configurer to have final say. Paul __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For additional commands, e-mail: dev-help@struts.apache.org