If you lecture your developers to be aware that any public method becomes fair game the security concern might be mitigated but you still have a maintainability issue. With explicit configuration someone inheriting the code can easily figure out how an action method is used by looking at annotations or the XML.. If you allow bangs not only do you have to read *all* the JSPs in your application -- some URLs might be coming from outside the application making it impossible to account for all usage of the action. Chris
-----Original Message----- From: Jan T. Kim <j....@uea.ac.uk> To: Struts Users Mailing List <user@struts.apache.org> Sent: Sun, Jun 28, 2009 10:55 am Subject: Re: Action mapping documentation (and a security question) On Sun, Jun 28, 2009 at 08:15:43AM -0400, Dave Newton wrote: > Jan T. Kim wrote: > >(1) Where is the documentation of this wildcard syntax? > > http://struts.apache.org/2.x/docs/wildcard-mappings.html > http://struts.apache.org/2.x/docs/action-configuration.html#ActionConfiguration-WildcardMethod > > Although the underscore thing is mentioned I don't think it's explicitly > stated. The first link above is linked off the "Guides" page directly, > and from the action configuration page. Ok -- from experimentation it seems to me that an "exclamation point (aka 'bang'), underscore, or other special character" matches any other special character or the empty string, as accessing "bleh", "bleh_" and "bleh!" gives me a test form with validation errors while accessing "bleh_input" gives me one without validation errors. (I tried a few other characters but none exhibited this "special" behaviour so far -- does anyone know what the "other special characters" are?) > >(2) Isn't encoding methods in action name suffixes like this a potential > >security issue? So, are wildcards useful for development but have to be expanded before putting a system to production use? Replacing the filename globbing like wildcard system with a complete regular expression system would allow writing more precise rules, e.g. one could write <action name="^bleh(_((input)|(dummy)))?$" method="{2}" ...> ... </action> and be certain that the method attribute won't take any values other than "input", "dummy", or the empty string (which then probably should map to the execute method). Best regards, Jan -- +- Jan T. Kim -------------------------------------------------------+ | email: j....@uea.ac.uk | | WWW: http://www.cmp.uea.ac.uk/people/jtk | *-----=< hierarchical systems are for files, not for humans >=-----* --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
