struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rene Gielen" <gie...@it-neering.net>
Subject Re: ParameterFilterInterceptor security issue
Date Tue, 12 Aug 2008 09:58:12 GMT
I would not go so far to consider this a security issue, I'd rather say
ParameterFilterInterceptor might not be feature complete.

I think it would be straightforward to also enable RegExp for
ParameterFilterInterceptor, to enhance it's usability in this case.

What exactly would be that hard when writing a RegExp for
ParametersInterceptor? If you know your "evil" parameter names, you could
quite safely use a somewhat greedy pattern like .*evilParamName.* IMO.

- Rene

Am Di, 12.08.2008, 11:24, schrieb jelmer:
> Hi all,
>
> I was looking into an easy way to prevent people binding on fields they
> shouldn't be binding on.
>
> Say you have a User object, you do not want people to be able to bind on
> the
> isAdmin property.
>
> Various people remommended using the ParameterFilterInterceptor for this
> but
> it seems to be flatout broken
>
> When you configure an action like this
>
> <action name="test" class="com.webapp.action.TestAction">
>     <interceptor-ref name="param-namevalue-filter">
>        <param name="blocked">name</param>
>     </interceptor-ref>
>     <interceptor-ref name="params"/>
> </action>
>
> then this wont work :
>
> /test.action?name=myname
>
> but this does :
>
> /test.action?(name)=jelmer
>
> and so does this
>
> /test.action?((name))=jelmer
>
> And so on, infact it is impossible to block any parameter effectively with
> the ParameterFilterInterceptor.
>
>
> Btw. I am aware that there is also the excludeParams method on the
> ParametersInterceptor that accepts a regexp, so theoretically you could
> use
> this to block parameters effectively but it would be extremely hard to
> write
> a correct regexp for it. Also I havent found a way to configure both
> params
> interceptors in a paramsPrepareParamsStack. This will only configure the
> first params interceptor in the stack
>
> <interceptor-ref name="clientCrudStack">
>    <param name="params.excludeParams">some pattern</param>
> </interceptor-ref>
>
> Struts really seems to be lacking in this area.
>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message