tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From QM <qm...@brandxdev.net>
Subject Re: Multiple arguments in a GET URL
Date Fri, 01 Oct 2004 21:33:38 GMT
On Fri, Oct 01, 2004 at 04:17:59PM -0500, erh@swapsimple.com wrote:
: > So for example I would have
: > http://ndsc.eng.vzwcorp.com/index.jsp?mainFrame=blahblah.jsp
: 
: 	What you're doing seems like a great way to allow anyone to crash
: your app, or at least use up a lot of memory.  Think what happens if
: someone sends you a url that looks like this:
: 
: http://ndsc.eng.vzwcorp.com/index.jsp?mainFrame=index.jsp

True; it seems the OP would do well to have index.jsp track permitted
values.  "Never trust user input" holds especially true here.

Also, to the OP: how are you calling the target JSP?  If you're doing an
explicit forward() call, there'd be no problem to keep the params the
same.  Put another way, if this is the desired query string for the
target JSP:

	a=b&c=d

and it's requested as
	.../index.jsp?mainFrame=somefile.jsp&a=b&c=d

then what would be the problem with somefile.jsp seeing the "mainFrame"
param?

-QM

-- 

software  -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message