struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arun M <marunkuma...@gmail.com>
Subject Re: Data Leakage in Struts 2
Date Sun, 27 Jul 2008 08:22:41 GMT


we use STRUTS2 - SPRING- HIBERNATE in our project
here is a sample piece of code...
as metioned earlier... SCRAPTEXT variable once set by a request is being
reused (that is) gets prefilled in the 
textarea of someother user in someother PC.

............. Action Class ----------------------------
public class SocialDetailAction extends
com.opensymphony.xwork2.ActionSupport{
	
	  private com.jujubi.services.ProductService productService;
	    
	  
	  private String scrapText;
	  private int toId;
	  private String scrapFromName;
	  private boolean secure;
      
    

    public String postCustomerScrap() throws Exception {
		
        	 /*****
		 ....
			
			// HERE  WE HAVE THE CODE THAT USES THE GETTER SETTER OF THE MEMEBERS
		 ...
			return SUCCESS; 

		}
}




//GETTER SETTTER FOR THE MEMBERS

}



------------ jSP ----------------------------
....... 
....
..
                         <s:form namespace="/jap" action="scrappost">  
         		<s:textarea  name="scrapText" cols="60" rows="3"/>
			<s:checkbox name="secure" label="secure" value="false"></s:checkbox>
			<s:submit value="post scrap" theme="ajax" targets="addScrap" />
			</s:form> 
.........
.....
...

-----------------------  Struts.xml for the action -----------------------

..
.

		<action name="scrappost" class="socialDetailAction"
method="postCustomerScrap">
			<result name="success">/views/social/ReturnMsg.jsp</result>
			<result name="input">/views/social/PeopsScrapbook.jsp</result>
		</action>	

...
..





Richard Yee wrote:
> 
> Why don't you post your code. It seems that it might have a threading
> issue.
> 
> -R
> 
> Arun M wrote:
>> We are using struts 2.0.11
>>
>> We have lots of action class. Say one of them is CustomerRegisterAction
>> (which extends ActionSupport  ) . When a say user  X registers himself on
>> the website; this CustomerRegisterAction is populated (using OGNL) and
>> the
>> customer data is saved to DB. But after sometime some other user Y from
>> some
>> other PCcomes and clicks the Register link, then the data entered by X is
>> prefilled now.
>>    I think the CustomerRegisterAction is reused, instead of creating new
>> instance every request.  we want to setup such that new
>> CustomerRegisterAction is created every httprequest, so that data is not
>> leaking between users. 
>>
>> Please help us.
>>   
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Data-Leakage-in-Struts-2-tp18669314p18674276.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message