[
https://issues.apache.org/struts/browse/STR-2347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_40556
]
Ralf Hauser commented on STR-2347:
----------------------------------
see also https://issues.apache.org/jira/browse/VALIDATOR-155 and
https://issues.apache.org/jira/browse/VALIDATOR-227
> [validator] enhance validator to be also able to validate request
> parameters/headers
> ------------------------------------------------------------------------------------
>
> Key: STR-2347
> URL: https://issues.apache.org/struts/browse/STR-2347
> Project: Struts 1
> Issue Type: Improvement
> Components: Core
> Affects Versions: 1.2.4
> Environment: Operating System: All
> Platform: PC
> Reporter: Ralf Hauser
> Assigned To: Struts Developers
> Priority: Minor
>
> an important application programming security principle is to validate ALL
> inputs (owasp.org).
> request.getParameter() and request.getHeader(), getCookies(), getAttribute()
> may
> bring many more values into an application than the validator.xml is capable
> to
> validate.
> --------------------
> RFE: provide a way to also validate header/parameter/attribute fields
> (beyond the maxFileSize controller that hopfully is applied also to them)
> ----------------
> see also STR-1984 and STR-2332
> P.S.: One might say that using any of those methods above is "bypassing" the
> org.apache.struts.validator.ValidatorForm concept. If we want to avoid that
> wouldn't it be the right approach according to the information-hiding
> principle
> to remove the HttpServletRequest from the
> org.apache.struts.action.Action.execute() method signature?
> Probably, there would then be the need for a struts-controlled additional
> object
> allowing validated access to cookies, etc.?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
