Return-Path: Delivered-To: apmail-struts-dev-archive@www.apache.org Received: (qmail 70463 invoked from network); 12 Aug 2008 12:20:52 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 12 Aug 2008 12:20:52 -0000 Received: (qmail 63128 invoked by uid 500); 12 Aug 2008 12:20:50 -0000 Delivered-To: apmail-struts-dev-archive@struts.apache.org Received: (qmail 63101 invoked by uid 500); 12 Aug 2008 12:20:50 -0000 Mailing-List: contact dev-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Developers List" Reply-To: "Struts Developers List" Delivered-To: mailing list dev@struts.apache.org Received: (qmail 63087 invoked by uid 99); 12 Aug 2008 12:20:50 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Aug 2008 05:20:50 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [220.233.0.58] (HELO conker.exetel.com.au) (220.233.0.58) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Aug 2008 12:19:50 +0000 Received: from [220.233.197.82] (helo=[192.168.1.150]) by conker.exetel.com.au with esmtpa (Exim 4.68) (envelope-from ) id 1KSsrH-0004EX-R0 for dev@struts.apache.org; Tue, 12 Aug 2008 22:20:15 +1000 Message-ID: <48A1800A.3000104@blueskyminds.com.au> Date: Tue, 12 Aug 2008 22:20:26 +1000 From: Jeromy Evans Organization: Blue Sky Minds Pty Ltd User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Struts Developers List Subject: Re: ParameterFilterInterceptor security issue References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org This relates to Musachy's recent proposal to remove OGNL entirely from the parameter-setting process. Which I think is a very good idea. If I've understood correctly, currently there is no way to filter the parameter names, using regex or otherwise, other than to verify them use a whitelist of valid names. jelmer wrote: > Hi all, > > I was looking into an easy way to prevent people binding on fields they > shouldn't be binding on. > > Say you have a User object, you do not want people to be able to bind on the > isAdmin property. > > Various people remommended using the ParameterFilterInterceptor for this but > it seems to be flatout broken > > When you configure an action like this > > > > name > > > > > then this wont work : > > /test.action?name=myname > > but this does : > > /test.action?(name)=jelmer > > and so does this > > /test.action?((name))=jelmer > > And so on, infact it is impossible to block any parameter effectively with > the ParameterFilterInterceptor. > > > Btw. I am aware that there is also the excludeParams method on the > ParametersInterceptor that accepts a regexp, so theoretically you could use > this to block parameters effectively but it would be extremely hard to write > a correct regexp for it. Also I havent found a way to configure both params > interceptors in a paramsPrepareParamsStack. This will only configure the > first params interceptor in the stack > > > some pattern > > > Struts really seems to be lacking in this area. > > > Internal Virus Database is out of date. > Checked by AVG - http://www.avg.com > Version: 8.0.138 / Virus Database: 270.5.10/1584 - Release Date: 31/07/2008 12:00 PM > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For additional commands, e-mail: dev-help@struts.apache.org