is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you
again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron <dalte...@iupui.edu>wrote: > I've been getting more and more concerned about the possibility of > parameter manipulation attacks with Struts2. I've started doing strict > whitelists using the ParameterNameAware interface on all of my forms pages. > However, today I tried to code a "display-only" page that shows information > about a particular user. I thought that by simply creating a getter and no > setter, it would be impossible to inject parameters. For example, my action > only contains the following getter for a JPA model object: > > public User getUser() { > return user; > } > > However, by sending a simple query parameter, it is *still* possible to > change values in user. For example, you can send: > > > http://localhost:8080/MySite/userdisplay.action?user.email=newem...@address.com > > ... and it works. The email will become newem...@address.com > > Is there any way to shut this down other than whitelisting every single > action in your site using ParameterNameAware? (Or simply never put model > objects on your stack?) This is getting frustrating! > > -David > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >