I'd like to know if this is considered a security hole to other people besides me. I saved
an
email off this group back in July and finally went back to investigate it:
It seems that every action in Struts is cancellable, which means for Struts actions that do
not
religiously check for isCancelled(), a hacker can bypass validation simply by passing in the
cancel key ("org.apache.struts.action.CANCEL"). This seems entirely possible through Jakarta
HttpClient, or just modifying the URL when possible.
So, in my opinion, it doesn't seem like data from the form is every truely reliable without
the
isCancelled() check.
I propose the Controller address this somehow. Maybe by using <set-property> there can
be an
attribute set at the action to allow validation to be legitimately skipped or make this
configurable at the <controller> level.
Any ideas?
Paul
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
|