Well the Interceptor promises to "blocks parameters from getting to the rest of the stack or your action" clearly it fails to deliver on that.
The regexp solution is unusable in a paramsPrepareParamsStack because you would essentially have to duplicate the entire stack On Tue, Aug 12, 2008 at 11:58 AM, Rene Gielen <[EMAIL PROTECTED]> wrote: > I would not go so far to consider this a security issue, I'd rather say > ParameterFilterInterceptor might not be feature complete. > > I think it would be straightforward to also enable RegExp for > ParameterFilterInterceptor, to enhance it's usability in this case. > > What exactly would be that hard when writing a RegExp for > ParametersInterceptor? If you know your "evil" parameter names, you could > quite safely use a somewhat greedy pattern like .*evilParamName.* IMO. > > - Rene > > Am Di, 12.08.2008, 11:24, schrieb jelmer: > > Hi all, > > > > I was looking into an easy way to prevent people binding on fields they > > shouldn't be binding on. > > > > Say you have a User object, you do not want people to be able to bind on > > the > > isAdmin property. > > > > Various people remommended using the ParameterFilterInterceptor for this > > but > > it seems to be flatout broken > > > > When you configure an action like this > > > > <action name="test" class="com.webapp.action.TestAction"> > > <interceptor-ref name="param-namevalue-filter"> > > <param name="blocked">name</param> > > </interceptor-ref> > > <interceptor-ref name="params"/> > > </action> > > > > then this wont work : > > > > /test.action?name=myname > > > > but this does : > > > > /test.action?(name)=jelmer > > > > and so does this > > > > /test.action?((name))=jelmer > > > > And so on, infact it is impossible to block any parameter effectively > with > > the ParameterFilterInterceptor. > > > > > > Btw. I am aware that there is also the excludeParams method on the > > ParametersInterceptor that accepts a regexp, so theoretically you could > > use > > this to block parameters effectively but it would be extremely hard to > > write > > a correct regexp for it. Also I havent found a way to configure both > > params > > interceptors in a paramsPrepareParamsStack. This will only configure the > > first params interceptor in the stack > > > > <interceptor-ref name="clientCrudStack"> > > <param name="params.excludeParams">some pattern</param> > > </interceptor-ref> > > > > Struts really seems to be lacking in this area. > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
