Dale Newfield wrote:
Don Brown wrote:
Little known fact, but you can specify the method via:
"?method:MY_METHOD_NAME"
This code exists to support the method attribute on the submit tag,
allowing you to submit the form to different methods based on what
button is clicked.
I wondered how the submit tag argument worked.
I would argue this is as big a security vulnerability as the
"action!method" capability. (As, for example, it can allow less
privileged users to access more privileged methods that the author
thought were protected via the url pattern by something like
org.acegisecurity.intercept.web.FilterSecurityInterceptor.) Is there
any way to restrict which methods are valid there, or to turn this
capability off?
-Dale
I always use the following configuration to minimise the vulnerability::
<action name="/home_*" method="do{1}">
</action>
With that setting, only methods with the prefix "do" in their name can
be executed.
ie. ?method:update calls doUpdate()
cheers,
Jeromy Evans
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
