struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Secure parameters
Date Tue, 06 Oct 2015 14:05:51 GMT
2015-10-06 15:59 GMT+02:00 Paul Benedict <pbenedict@apache.org>:
> Can you explain the "secure" aspect? I don't follow what this is trying to
> accomplish. This is not a criticism; just a question.

Right now "parameters" is a junk, bunch of values with unknown origins
- some are coming from Request, some from interceptors, and some from
actions. I want to name them, given them some identity to allow handle
them correctly. ie. Request params should never be evaluated (as
happens now when someone finds RCE vulnerability), but at the same
time, params from interceptors (internals) should be passed for
evaluation all the time.


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message