struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rene Gielen" <>
Subject Re: ParameterFilterInterceptor security issue
Date Tue, 12 Aug 2008 13:14:07 GMT

Am Di, 12.08.2008, 14:20, schrieb Jeromy Evans:
> This relates to Musachy's recent proposal to remove OGNL entirely from
> the parameter-setting process.  Which I think is a very good idea.

Indeed removing OGNL for parameters would fix this issue, but even if we
would decide to do so this won't be trivial and might have many side

> If I've understood correctly, currently there is no way to filter the
> parameter names, using regex or otherwise, other than to verify them use
> a whitelist of valid names.

You can blacklist parameter names in the ParameterInterceptor ref,
including the possibility to define RegExp patterns. The latter one is not
possible for the ParameterFilterInterceptor right now, which I think is a
feature we should add.

Jelmer, would you mind creating an Jira issue for that?

- Rene

> jelmer wrote:
>> Hi all,
>> I was looking into an easy way to prevent people binding on fields they
>> shouldn't be binding on.
>> Say you have a User object, you do not want people to be able to bind on
>> the
>> isAdmin property.
>> Various people remommended using the ParameterFilterInterceptor for this
>> but
>> it seems to be flatout broken
>> When you configure an action like this
>> <action name="test" class="com.webapp.action.TestAction">
>>     <interceptor-ref name="param-namevalue-filter">
>>        <param name="blocked">name</param>
>>     </interceptor-ref>
>>     <interceptor-ref name="params"/>
>> </action>
>> then this wont work :
>> /test.action?name=myname
>> but this does :
>> /test.action?(name)=jelmer
>> and so does this
>> /test.action?((name))=jelmer
>> And so on, infact it is impossible to block any parameter effectively
>> with
>> the ParameterFilterInterceptor.
>> Btw. I am aware that there is also the excludeParams method on the
>> ParametersInterceptor that accepts a regexp, so theoretically you could
>> use
>> this to block parameters effectively but it would be extremely hard to
>> write
>> a correct regexp for it. Also I havent found a way to configure both
>> params
>> interceptors in a paramsPrepareParamsStack. This will only configure the
>> first params interceptor in the stack
>> <interceptor-ref name="clientCrudStack">
>>    <param name="params.excludeParams">some pattern</param>
>> </interceptor-ref>
>> Struts really seems to be lacking in this area.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message