RE: [OS-webwork] Security flaw with WW2

Wed, 17 Dec 2003 08:59:01 -0800 

Right right... Sorry, just me being stupid... 

We're going to want to be generally restrictive of calling some static
methods, not just in the Parameter names. We may want to just prohibit
static method access in parameters.

> -----Original Message-----
> From: Dick Zetterberg [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, December 17, 2003 10:45 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [OS-webwork] Security flaw with WW2
> 
> 
> I'm not sure if I understand your question but.... 
> The parameter names are evaluate so that you can have values 
> set automatically for parameters in your forms with names like:
>    user/name   (or user.name in WW2)  or    user/address/city 
>   . The value is set on your beans without you having to 
> create methods or attributes in the action for them.
> 
> In WW1 this is handled separately from the ValueStack in the 
> BeanUtil class and only a limited set of the functionality of 
> the EL is available. So even if we had support for static 
> methods in WW1 one could not access them through the parameter names. 
> There can still be times in WW1 where you do not want people 
> to be able to fiddle with parameter names thereby setting 
> values they should not set. That was one of the reasons why I 
> added the NoParameters interface to WW1.4 so that you, when 
> you need it, can be absolutely sure that no parameters are 
> set automatically. I was thinking about having a more complex 
> specification where you could define a set of names and 
> wildcards like user/*  or user/address/* to specify what 
> parameters were allowed to set, but I haven't had much time 
> to think about it more.
> 
> Cheers,
> 
> Dick
> 
> [EMAIL PROTECTED]
> 
> ----- Original Message ----- 
> From: "Jason Carreira" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 17, 2003 3:53 PM
> Subject: RE: [OS-webwork] Security flaw with WW2
> 
> 
> > Why are parameter names evaluated, I don't remember?
> > 
> > > -----Original Message-----
> > > From: John Patterson [mailto:[EMAIL PROTECTED]
> > > Sent: Wednesday, December 17, 2003 8:35 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [OS-webwork] Security flaw with WW2
> > > 
> > > 
> > > I just mean the parameter name not the value.  This would
> > > stop names like '@[EMAIL PROTECTED](1).dummy' from being evaluated.
> > > 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=ick
> _______________________________________________
> Opensymphony-webwork mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> 


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Reply via email to