This happens because bean is null, otherwise struts will populate. 2010/12/17 <[email protected]>: > Guys -- > > If the action has no setter and the property is private, S2 will not > populate it. > > Scott > > On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara < > [email protected]> wrote: > >> David, >> I get your point. >> >> Scott is right, you could overwrite PI or maybe write your custom >> interceptor (though I think you should consider to file an issue on >> JIRA). >> Maybe it would use java annotations to hide/expose fields, or >> alternately it could behave as you supposed (expose only field with >> write accessors). >> >> >> >> >> 2010/12/17 Altenhof, David Aron <[email protected]>: >> > The model objects are initialized in prepare() ... other techniques just >> aren't as practical for our application. >> > >> > I'm just going to keep doing lots of whitelisting with >> ParameterNameAware... >> > >> > -David >> > >> > >> > >> > -----Original Message----- >> > From: Steven Yang [mailto:[email protected]] >> > Sent: Friday, December 17, 2010 1:10 AM >> > To: Struts Users Mailing List >> > Subject: Re: Parameter manipulation >> > >> > is your user object initialized when the param interceptor is run? >> > >> > here i might be wrong, but what i know is if your object is initialized >> then Struts or OGNL will call getUser().setEmail(...) otherwise create a new >> User then setEmail then setUser then the second case should fail for you >> > >> > again, i might be wrong on the behavior >> > >> > On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron >> > <[email protected]>wrote: >> > >> >> I've been getting more and more concerned about the possibility of >> >> parameter manipulation attacks with Struts2. I've started doing strict >> >> whitelists using the ParameterNameAware interface on all of my forms >> pages. >> >> However, today I tried to code a "display-only" page that shows >> >> information about a particular user. I thought that by simply creating >> >> a getter and no setter, it would be impossible to inject parameters. >> >> For example, my action only contains the following getter for a JPA >> model object: >> >> >> >> public User getUser() { >> >> return user; >> >> } >> >> >> >> However, by sending a simple query parameter, it is *still* possible >> >> to change values in user. For example, you can send: >> >> >> >> >> >> http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad >> >> dress.com >> >> >> >> ... and it works. The email will become [email protected] >> >> >> >> Is there any way to shut this down other than whitelisting every >> >> single action in your site using ParameterNameAware? (Or simply never >> >> put model objects on your stack?) This is getting frustrating! >> >> >> >> -David >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [email protected] >> >> For additional commands, e-mail: [email protected] >> >> >> >> >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [email protected] >> > For additional commands, e-mail: [email protected] >> > >> > >> >> >> >> -- >> Maurizio Cucchiara >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> >
-- Maurizio Cucchiara --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
