I would not go so far to consider this a security issue, I'd rather say ParameterFilterInterceptor might not be feature complete.
I think it would be straightforward to also enable RegExp for ParameterFilterInterceptor, to enhance it's usability in this case. What exactly would be that hard when writing a RegExp for ParametersInterceptor? If you know your "evil" parameter names, you could quite safely use a somewhat greedy pattern like .*evilParamName.* IMO. - Rene Am Di, 12.08.2008, 11:24, schrieb jelmer: > Hi all, > > I was looking into an easy way to prevent people binding on fields they > shouldn't be binding on. > > Say you have a User object, you do not want people to be able to bind on > the > isAdmin property. > > Various people remommended using the ParameterFilterInterceptor for this > but > it seems to be flatout broken > > When you configure an action like this > > <action name="test" class="com.webapp.action.TestAction"> > <interceptor-ref name="param-namevalue-filter"> > <param name="blocked">name</param> > </interceptor-ref> > <interceptor-ref name="params"/> > </action> > > then this wont work : > > /test.action?name=myname > > but this does : > > /test.action?(name)=jelmer > > and so does this > > /test.action?((name))=jelmer > > And so on, infact it is impossible to block any parameter effectively with > the ParameterFilterInterceptor. > > > Btw. I am aware that there is also the excludeParams method on the > ParametersInterceptor that accepts a regexp, so theoretically you could > use > this to block parameters effectively but it would be extremely hard to > write > a correct regexp for it. Also I havent found a way to configure both > params > interceptors in a paramsPrepareParamsStack. This will only configure the > first params interceptor in the stack > > <interceptor-ref name="clientCrudStack"> > <param name="params.excludeParams">some pattern</param> > </interceptor-ref> > > Struts really seems to be lacking in this area. > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
