struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jelmer <jkupe...@gmail.com>
Subject ParameterFilterInterceptor security issue
Date Tue, 12 Aug 2008 09:24:13 GMT
Hi all,

I was looking into an easy way to prevent people binding on fields they
shouldn't be binding on.

Say you have a User object, you do not want people to be able to bind on the
isAdmin property.

Various people remommended using the ParameterFilterInterceptor for this but
it seems to be flatout broken

When you configure an action like this

<action name="test" class="com.webapp.action.TestAction">
    <interceptor-ref name="param-namevalue-filter">
       <param name="blocked">name</param>
    </interceptor-ref>
    <interceptor-ref name="params"/>
</action>

then this wont work :

/test.action?name=myname

but this does :

/test.action?(name)=jelmer

and so does this

/test.action?((name))=jelmer

And so on, infact it is impossible to block any parameter effectively with
the ParameterFilterInterceptor.


Btw. I am aware that there is also the excludeParams method on the
ParametersInterceptor that accepts a regexp, so theoretically you could use
this to block parameters effectively but it would be extremely hard to write
a correct regexp for it. Also I havent found a way to configure both params
interceptors in a paramsPrepareParamsStack. This will only configure the
first params interceptor in the stack

<interceptor-ref name="clientCrudStack">
   <param name="params.excludeParams">some pattern</param>
</interceptor-ref>

Struts really seems to be lacking in this area.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message