is your user object initialized when the param interceptor is run?
here i might be wrong, but what i know is if your object is initialized then
Struts or OGNL will call getUser().setEmail(...)
otherwise create a new User then setEmail then setUser
then the second case should fail for you
again, i might be wrong on the behavior
On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron
<dalte...@iupui.edu>wrote:
> I've been getting more and more concerned about the possibility of
> parameter manipulation attacks with Struts2. I've started doing strict
> whitelists using the ParameterNameAware interface on all of my forms pages.
> However, today I tried to code a "display-only" page that shows information
> about a particular user. I thought that by simply creating a getter and no
> setter, it would be impossible to inject parameters. For example, my action
> only contains the following getter for a JPA model object:
>
> public User getUser() {
> return user;
> }
>
> However, by sending a simple query parameter, it is *still* possible to
> change values in user. For example, you can send:
>
>
> http://localhost:8080/MySite/userdisplay.action?user.email=newem...@address.com
>
> ... and it works. The email will become newem...@address.com
>
> Is there any way to shut this down other than whitelisting every single
> action in your site using ParameterNameAware? (Or simply never put model
> objects on your stack?) This is getting frustrating!
>
> -David
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>
