Re: Validation Security Hole?

Mon, 23 Jan 2006 09:28:34 -0800 

At 5:53 PM +0100 1/23/06, Nicolas De Loof wrote:
From what I've understood from your "mapping-declarated cancel parameter", it require every cancelable mapping to declare it's cancel param, so it is supposed that the action correctly handles canceled request. 


In this case, changing cancel key has no effect 
on security, as canceling is correctly handled ! 
You may just add a boolean property 
"accept-cancel" and make it required for struts 
cancel mecanism to be used.



This would work about as well, but I thought that 
making the parameter configurable might appeal to 
the paranoid.



That said, it would also be a lot more work to 
implement that way and still support the 
"html:cancel" tag, so I think i'd opt for Nico's 
variant.


Joe




Nico.

Frank W. Zammetti a écrit :


Joe, I think Rick is correct, I too do not see how this will solve the
problem.

Recall that the way it works today, you can bypass validate() being fired
for *any* Action, not just those which are designed to handle a cancel
button.  This is where the problem arises... depending on what is done in
validate() (whether we as architects find it appropriate or not) can cause
problems in execute() and beyond, potentially security problems.

Of course, perhaps Rick and I are *both* not seeing it :)





This message contains information that may be 
privileged or confidential and is the property 
of the Capgemini Group. It is intended only for 
the person to whom it is addressed. If you are 
not the intended recipient,  you are not 
authorized to read, print, retain, copy, 
disseminate,  distribute, or use this message or 
any part thereof. If you receive this  message 
in error, please notify the sender immediately 
and delete all  copies of this message.



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--
Joe Germuska
[EMAIL PROTECTED] * http://blog.germuska.com

"You really can't burn anything out by trying something new, and
even if you can burn it out, it can be fixed.  Try something new."
        -- Robert Moog

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to