Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0858D9930 for ; Wed, 4 Jul 2012 13:51:36 +0000 (UTC) Received: (qmail 3206 invoked by uid 500); 4 Jul 2012 13:51:34 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 3132 invoked by uid 500); 4 Jul 2012 13:51:33 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 3119 invoked by uid 99); 4 Jul 2012 13:51:33 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Jul 2012 13:51:33 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=FSL_RCVD_USER,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of davelnewton@gmail.com designates 74.125.83.48 as permitted sender) Received: from [74.125.83.48] (HELO mail-ee0-f48.google.com) (74.125.83.48) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Jul 2012 13:51:27 +0000 Received: by eekb45 with SMTP id b45so3460743eek.35 for ; Wed, 04 Jul 2012 06:51:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=NYlNtdU023S+LFZdVjq7BHj02D+D0MdsggmKcpUfm9I=; b=AnKfcD4rtw3uuYxxqwd9CVQtRG+jtp5pPJHijicUAGlALzm8IUhPafWryIi65Wf5tK dLkizcPz/CA/NTRWE+hn/elGAOTJxTRX4AzL4dLoDqS8ZetspArZFWqZE5Tisqk65WpB irEK5W5iCaQW239TqbR8Is0ze9D3lOtc8Z029UJMHTfbi8GrXF/dU/TdQtkyWCH2NO38 UG4ExWuC0Y0aSd0BPodbzHgIF+LMOfLq+GwFv409ucgbmLKuWNPhpZF9zXLCsgdh8Vje 1K/P6PQM5qSPF+a/MmUkze68p/1fQ1jp71KrlstgIdAmSEHTSbkPmuDyA0S1o/dNcO2U iCsg== MIME-Version: 1.0 Received: by 10.14.95.7 with SMTP id o7mr154988eef.113.1341409867354; Wed, 04 Jul 2012 06:51:07 -0700 (PDT) Received: by 10.14.96.78 with HTTP; Wed, 4 Jul 2012 06:51:07 -0700 (PDT) Received: by 10.14.96.78 with HTTP; Wed, 4 Jul 2012 06:51:07 -0700 (PDT) In-Reply-To: References: <1341408003.2050.1.camel@itcd001> Date: Wed, 4 Jul 2012 09:51:07 -0400 Message-ID: Subject: Re: data injection attack From: Dave Newton To: Struts Users Mailing List Content-Type: multipart/alternative; boundary=bcaec5215851a4537e04c40152dd --bcaec5215851a4537e04c40152dd Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Then whitelist/blacklist. Or don't expose sensitive data directly to the user. Dave (pardon brevity, typos, and top-quoting; on cell) On Jul 4, 2012 8:49 AM, "J. Garcia" wrote: > My action would have: > > public void setMyBean( MyBean myBean) {...} > > and I would like to avoid an injection on myBean.field3. This field could > be the owner id for instance! > > On Wed, Jul 4, 2012 at 3:34 PM, =C5=81ukasz Lenart > wrote: > > > Another way is to use AnnotationParameterFilterIntereptor (name > > contains typo) and @Allowed and @Blocked annotations > > > > > > Regards > > -- > > =C5=81ukasz > > mobile +48 606 323 122 http://www.lenart.org.pl/ > > Warszawa JUG conference - Confitura http://confitura.pl/ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org > > For additional commands, e-mail: user-help@struts.apache.org > > > > > --bcaec5215851a4537e04c40152dd--