I have been updating my distributions, but still see many attempts to 
compromise my installation through parameter submission like this:

ERROR

com.opensymphony.xwork2.interceptor.ParametersInterceptor

Developer Notification (set struts.devMode to false to disable this message):
Unexpected Exception caught setting 
'redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding("UTF-8"),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()}'
 on 'class java.lang.String: 100

I have an IP based blacklist and expiry for people who attempt invalid mail 
submissions (injecting mail commands in subjects programatically, etc.) It 
works really well to blacklist IPs temporarily. I would like to do the same 
with these kind of submissions. If someone attempts to inject commands in 
parameters, I would like to be able to intercept that and ban them.

I know I can insert an interceptor before ParametersInterceptor is called. I 
would rather be able to catch when a parameter is not there or banned, or the 
length is inappropriate and have a chance to respond. It would also cut down 
the number of interceptors and improve response time. I would also like to not 
need a custom ParametersInterceptor, as it can be problematic to update with 
new Struts releases.

Can anyone help me with a new perspective or solution to this problem? Is 
anyone interested in a solution if I code a handler for bad requests, and 
insert code into ParametersInterceptor to allow the handler to process the bad 
response. My thought is that it would take the package, action, parameter, 
value, and the parameters map as values.

Thanks for you thoughts!

— Christian
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to