The thing is that there isn't (that I see) any way to know if a value was
passed by the user. For example on this case, by the time that
TextParseUtils is evaluating the value, that value was assigned to the
action field, and the result is executing already. If you look at the
ParametersInterceptor you will see this:
protected boolean acceptableName(String name) {
if (name.indexOf('=') != -1 || name.indexOf(',') != -1 ||
name.indexOf('#') != -1
|| name.indexOf(':') != -1 || isExcluded(name)) {
return false;
} else {
return true;
}
}
we are doing something similar already, but for the name.
musachy
On 7/5/07, Antonio Petrelli <[EMAIL PROTECTED]> wrote:
2007/7/5, Musachy Barroso <[EMAIL PROTECTED]>:
> Implementing ParameterNameAware would solve the problem of someone
tampering
> the parameter name, but not entering %{} in the value. We need to
prevent
> both.
Prevent? I don't think that intercepting the possible malicious values
is a viable solution, there will be always an exploit that can bypass
it.
I think that values passed by the user must not be evaluated as an
OGNL expression, just like EL is not evaluated when entered by the
user.
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
"Hey you! Would you help me to carry the stone?" Pink Floyd
