gt; From: Musachy Barroso <[EMAIL PROTECTED]>
>> Subject: Re: ParameterFilterInterceptor security issue
>> To: "Struts Developers List"
>> Date: Wednesday, August 13, 2008, 10:41 AM
>> the patch for WW-2761 was committed to xwork trunk
>>
>>
>> wrote:
>> >>>
>> >>> I wrote an annotation based parameters
>> interceptor that extends the
>> >>> current parameters interceptor while allowing
>> you to configure the
>> >>> default "accept" policy for
Did you fix the "Memer" spelling error I noted on the review?
--- On Wed, 8/13/08, Musachy Barroso <[EMAIL PROTECTED]> wrote:
> From: Musachy Barroso <[EMAIL PROTECTED]>
> Subject: Re: ParameterFilterInterceptor security issue
> To: "Struts Developers List&
nfigure each individually to accept or reject parameters. I would
>>> still like to add some regex support to the action annotation. Would
>>> this interest you?
>>>
>>> Brian Relph
>>>
>>> -Original Message-
>>> From: Musachy
>> or reject parameters. I would still like to add some regex support to the
>> action annotation. Would this interest you?
>>
>> Brian Relph
>>
>> -Original Message-
>> From: Musachy Barroso [mailto:[EMAIL PROTECTED]
>> Sent: Tuesday, Augus
on. Would this interest you?
>
> Brian Relph
>
> -Original Message-
> From: Musachy Barroso [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 12, 2008 8:53 AM
> To: Struts Developers List
> Subject: Re: ParameterFilterInterceptor security issue
>
> I forgot to
EMAIL PROTECTED]
Sent: Tuesday, August 12, 2008 8:53 AM
To: Struts Developers List
Subject: Re: ParameterFilterInterceptor security issue
I forgot to say, that this would prevent all the OGNL expression tricks,
because the property name that is passed to MemberAccess to be checked, is the
actua
I forgot to say, that this would prevent all the OGNL expression
tricks, because the property name that is passed to MemberAccess to be
checked, is the actual property name, and not an expression.
musachy
On Tue, Aug 12, 2008 at 9:48 AM, Musachy Barroso <[EMAIL PROTECTED]> wrote:
> It seems to me
s/Memeber/Member/g
On Tue, Aug 12, 2008 at 9:48 AM, Musachy Barroso <[EMAIL PROTECTED]> wrote:
> It seems to me like there is an elegant solution to this. We can
> rename StaticMemeberAccess to SecurityMemeberAccess, and in there not
> only block static member access, but also fields that can be
>
It seems to me like there is an elegant solution to this. We can
rename StaticMemeberAccess to SecurityMemeberAccess, and in there not
only block static member access, but also fields that can be
configured using regular expressions. The params interceptor would
just set these fields before binding
Look at this related post too:
http://www.nabble.com/paramsPrepareParams-vs.-staticParams-td18773842.html
2008/8/12, Rene Gielen <[EMAIL PROTECTED]>:
>
> Am Di, 12.08.2008, 14:20, schrieb Jeromy Evans:
> >
> > This relates to Musachy's recent proposal to remove OGNL entirely from
> > the parameter
Am Di, 12.08.2008, 14:20, schrieb Jeromy Evans:
>
> This relates to Musachy's recent proposal to remove OGNL entirely from
> the parameter-setting process. Which I think is a very good idea.
>
Indeed removing OGNL for parameters would fix this issue, but even if we
would decide to do so this won
This relates to Musachy's recent proposal to remove OGNL entirely from
the parameter-setting process. Which I think is a very good idea.
If I've understood correctly, currently there is no way to filter the
parameter names, using regex or otherwise, other than to verify them use
a whitelist
Well the Interceptor promises to "blocks parameters from getting to the rest
of the stack or your action" clearly it fails to deliver on that.
The regexp solution is unusable in a paramsPrepareParamsStack because you
would essentially have to duplicate the entire stack
On Tue, Aug 12, 2008 at 1
I would not go so far to consider this a security issue, I'd rather say
ParameterFilterInterceptor might not be feature complete.
I think it would be straightforward to also enable RegExp for
ParameterFilterInterceptor, to enhance it's usability in this case.
What exactly would be that hard when
15 matches
Mail list logo
