>[...] > > Of course that's just example that not necessarily happens. > > The bottom line is that you have to be able to put a firewall > > against input parameters before they get into action properties. > > > > Again, why?
To prevent exposing random properties to be maliciously overwritten. > > That's why I will advocate my idea, that filtering parameters > > in ParameterInterceptor is not an option. It's a thing that > > must me done. > > > > Create another Interceptor to do this Could be done that way. Currently I in fact created my own ParameterInterceptor. I personally think that ParameterInterceptor can take advantage of knowing what parameters it should set. And finally, for me the issue of preventing setting of some parameters belongs to ParameterInterceptor operational domain. But of course this might be only a personal preference. > > I don't comment the idea of ProhibitedField pattern, cause > > it's too weak to be sufficient. > > > > I'm not sure I understand what the ProhibitedField pattern is, but how > is it different from what you're talking about? ProhibitedField suggests that exclusion mechanism is used for specific fields. I think it's weak cause it's pretty hard to enumerate all possible exclusions in case you working with nested components (i.e properties having nested properties). It's better to specify what is allowed and assume that everything else is not allowed. So if I had to choose I would prefer AllowedField pattern. > > Another issue is OGNL usage. Potentially it's a very > > versatile tool. But I can't measure the number of potential > > holes that are open, when you use it to set parameters. Maybe > > it could be used to bypass validator and execute action by > > using carefully prepared parameters like 'this.execute()'. > > > > Possibly.... We should look for a test case for this. > > > -- Mike > > > > Jason > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by:ThinkGeek > > Welcome to geek heaven. > > http://thinkgeek.com/sf > > _______________________________________________ > > Opensymphony-webwork mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
