[jira] Commented: (STR-2347) [validator] enhance validator to be also able to validate request parameters/headers

Sun, 22 Apr 2007 03:37:03 -0700 

    [ 
https://issues.apache.org/struts/browse/STR-2347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_40875
 ] 

Ralf Hauser commented on STR-2347:
----------------------------------

I consider writing my own org.apache.struts.action.Action extension that has a 
  - Session invalidate()
  - Session getSession(),
but no direct access to 
   HttpServletRequest request

similarly, I intend not to directly extend 
org.apache.struts.validator.ValidatorForm, but have a mother of all my Forms 
that for example contains some navigation fields, etc.
However, I just wonder the validator can cope with inheritance (with 
multi-page, I understand, ValidatorActionForm  should do...)

> [validator] enhance validator to be also able to validate request 
> parameters/headers
> ------------------------------------------------------------------------------------
>
>                 Key: STR-2347
>                 URL: https://issues.apache.org/struts/browse/STR-2347
>             Project: Struts 1
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.2.4
>         Environment: Operating System: All
> Platform: PC
>            Reporter: Ralf Hauser
>         Assigned To: Struts Developers
>            Priority: Minor
>
> an important application programming security principle is to validate ALL
> inputs (owasp.org). 
> request.getParameter() and request.getHeader(), getCookies(), getAttribute() 
> may
> bring many more values into an application than the validator.xml is capable 
> to
> validate.
> --------------------
> RFE: provide a way to also validate header/parameter/attribute fields 
> (beyond the maxFileSize controller that hopfully is applied also to them)
> ----------------
> see also STR-1984 and STR-2332
> P.S.: One might say that using any of those methods above is "bypassing" the
> org.apache.struts.validator.ValidatorForm concept. If we want to avoid that
> wouldn't it be the right approach according to the information-hiding 
> principle
> to remove the HttpServletRequest from the
> org.apache.struts.action.Action.execute() method signature?
> Probably, there would then be the need for a struts-controlled additional 
> object
> allowing validated access to cookies, etc.?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to