tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <>
Subject RE: JSP:includes parameter passing vulnerability
Date Wed, 15 Sep 2010 22:21:54 GMT

check to make sure your <jsp:param has an end tag e.g.<jsp:include page="mycommon.jsp"
  <jsp:param name="extraparam" value="myvalue" />

if the browser doesnt see it the end tag the browser throws away the whole tag and uses the
default assignment
(which comes from the jsp:include page=)
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.


> Date: Wed, 15 Sep 2010 13:18:39 -0700
> From:
> To:
> Subject: Re: JSP:includes parameter passing vulnerability
> I agree that in the current design a developer can never trust the
> request parameter. 
> I guess what I'm arguing for is the ability for a developer to decide
> that a parameter will always come from another jsp and never come from
> the URL. However, even in this scenario its possible that the original
> JSP could simply grab it from the URL and then pass it to the included
> JSP via this proposed "safe" parameter pass.
> In the end this is similar to all other input validation/encoding issues
> with user data. I thought I'd point it out since it was interesting and
> caught me by surprise at first.
> Thanks!
> Michael Coates
> On 9/15/10 12:52 PM, Mikolaj Rydzewski wrote:
> > Michael Coates wrote:
> >> It seems to me that the method used to request parameters from an
> >> included jsp file should not "fail over" to the URL if the jsp:include
> >> does not provide the parameter.
> >> 
> > IMO that's incorrect assumption, that one can skip security
> > consideration when using JPS's in 'safe way' (because there're in
> > WEB-INF folder, in this case). It can be reused e.g. by include page
> > directive.
> > Developer should never trust any values passed via request parameter.
> > Period.
> >
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message