struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gabriel Belingueres" <belingue...@gmail.com>
Subject Re: ParameterFilterInterceptor security issue
Date Tue, 12 Aug 2008 13:43:12 GMT
Look at this related post too:
http://www.nabble.com/paramsPrepareParams-vs.-staticParams-td18773842.html

2008/8/12, Rene Gielen <gielen@it-neering.net>:
>
> Am Di, 12.08.2008, 14:20, schrieb Jeromy Evans:
> >
> > This relates to Musachy's recent proposal to remove OGNL entirely from
> > the parameter-setting process.  Which I think is a very good idea.
> >
>
> Indeed removing OGNL for parameters would fix this issue, but even if we
> would decide to do so this won't be trivial and might have many side
> effects.
>
> > If I've understood correctly, currently there is no way to filter the
> > parameter names, using regex or otherwise, other than to verify them use
> > a whitelist of valid names.
> >
>
> You can blacklist parameter names in the ParameterInterceptor ref,
> including the possibility to define RegExp patterns. The latter one is not
> possible for the ParameterFilterInterceptor right now, which I think is a
> feature we should add.
>
> Jelmer, would you mind creating an Jira issue for that?
> https://issues.apache.org/struts/
>
> - Rene
>
> > jelmer wrote:
> >> Hi all,
> >>
> >> I was looking into an easy way to prevent people binding on fields they
> >> shouldn't be binding on.
> >>
> >> Say you have a User object, you do not want people to be able to bind on
> >> the
> >> isAdmin property.
> >>
> >> Various people remommended using the ParameterFilterInterceptor for this
> >> but
> >> it seems to be flatout broken
> >>
> >> When you configure an action like this
> >>
> >> <action name="test" class="com.webapp.action.TestAction">
> >>     <interceptor-ref name="param-namevalue-filter">
> >>        <param name="blocked">name</param>
> >>     </interceptor-ref>
> >>     <interceptor-ref name="params"/>
> >> </action>
> >>
> >> then this wont work :
> >>
> >> /test.action?name=myname
> >>
> >> but this does :
> >>
> >> /test.action?(name)=jelmer
> >>
> >> and so does this
> >>
> >> /test.action?((name))=jelmer
> >>
> >> And so on, infact it is impossible to block any parameter effectively
> >> with
> >> the ParameterFilterInterceptor.
> >>
> >>
> >> Btw. I am aware that there is also the excludeParams method on the
> >> ParametersInterceptor that accepts a regexp, so theoretically you could
> >> use
> >> this to block parameters effectively but it would be extremely hard to
> >> write
> >> a correct regexp for it. Also I havent found a way to configure both
> >> params
> >> interceptors in a paramsPrepareParamsStack. This will only configure the
> >> first params interceptor in the stack
> >>
> >> <interceptor-ref name="clientCrudStack">
> >>    <param name="params.excludeParams">some pattern</param>
> >> </interceptor-ref>
> >>
> >> Struts really seems to be lacking in this area.
> >>
> >>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message