XSRF flaw in
struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java
---------------------------------------------------------------------------------------------------
Key: WW-3537
URL: https://issues.apache.org/jira/browse/WW-3537
Project: Struts 2
Issue Type: Bug
Components: Plugin - REST
Affects Versions: 2.2.1
Reporter: Stefan Magnus Landrø
Fix For: 2.2.1.1
I believe I've just found a major XSFR flaw in the REST plugin's
RestActionMapper.
See http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 for
more details concerning XSRF.
Manually performing a GET request on a create() method using the name!method
convention, the create() method actually gets invoked (btw, the model is also
populated).
As far as I can see, ANY of the operations with side effects (create, update,
destroy) can be invoked this way (using a GET request)
The code in RestActionMapper seems to totally ignore the HTTP-method used:
// handle "name!method" convention.
String name = mapping.getName();
int exclamation = name.lastIndexOf("!");
if (exclamation != -1) {
mapping.setName(name.substring(0, exclamation));
mapping.setMethod(name.substring(exclamation + 1));
}
Most other REST frameworks use annotations like @GET/@POST or similar
mechanisms on the controller methods in order to make sure that the correct
method is used, otherwise yielding a 400 BAD REQUEST or similar.
Has this issue been addressed before?
In the current state, I would not recommend using the REST plugin for
production use.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
