struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeromy Evans <jeromy.ev...@blueskyminds.com.au>
Subject Re: ParameterFilterInterceptor security issue
Date Tue, 12 Aug 2008 12:20:26 GMT

This relates to Musachy's recent proposal to remove OGNL entirely from 
the parameter-setting process.  Which I think is a very good idea.

If I've understood correctly, currently there is no way to filter the 
parameter names, using regex or otherwise, other than to verify them use 
a whitelist of valid names.

jelmer wrote:
> Hi all,
>
> I was looking into an easy way to prevent people binding on fields they
> shouldn't be binding on.
>
> Say you have a User object, you do not want people to be able to bind on the
> isAdmin property.
>
> Various people remommended using the ParameterFilterInterceptor for this but
> it seems to be flatout broken
>
> When you configure an action like this
>
> <action name="test" class="com.webapp.action.TestAction">
>     <interceptor-ref name="param-namevalue-filter">
>        <param name="blocked">name</param>
>     </interceptor-ref>
>     <interceptor-ref name="params"/>
> </action>
>
> then this wont work :
>
> /test.action?name=myname
>
> but this does :
>
> /test.action?(name)=jelmer
>
> and so does this
>
> /test.action?((name))=jelmer
>
> And so on, infact it is impossible to block any parameter effectively with
> the ParameterFilterInterceptor.
>
>
> Btw. I am aware that there is also the excludeParams method on the
> ParametersInterceptor that accepts a regexp, so theoretically you could use
> this to block parameters effectively but it would be extremely hard to write
> a correct regexp for it. Also I havent found a way to configure both params
> interceptors in a paramsPrepareParamsStack. This will only configure the
> first params interceptor in the stack
>
> <interceptor-ref name="clientCrudStack">
>    <param name="params.excludeParams">some pattern</param>
> </interceptor-ref>
>
> Struts really seems to be lacking in this area.
>
>
> Internal Virus Database is out of date.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.138 / Virus Database: 270.5.10/1584 - Release Date: 31/07/2008 12:00 PM
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message