Hi!
Very interesting problem!
In my oppinion is clearly a bug!
On 1/22/06, Paul Benedict <[EMAIL PROTECTED] > wrote:
>
> >>I can't think of a good reason it wouldn't call validate() too, like any
> other request, just
> because the action was canceled. Like I said, maybe someone can come up
> wi
On 1/21/06, Richard Wallace <[EMAIL PROTECTED]> wrote:
>
> Hello again,
>
> I'm running into a problem getting my /index.jsp to forward to a Clay
> HTML page. The index.jsp page just contains the following:
>
>
>
>
> When I try to hit it with the URL
> http://localhost:8080/shale-clay-example/ I
>>I can't think of a good reason it wouldn't call validate() too, like any
>>other request, just
because the action was canceled. Like I said, maybe someone can come up with a
reasonable
explanation for that behavior, but I can't see it :)
There is a legitimate case: when an form can be cancell
That is of course the other angle on this... maybe you can argue that
this is only a substantial security problem in certain contrived
situations... ok, fine :) ... but, as Paul points out, it makes it
exceedingly easy to break an application. That's a Denial Of Service
risk, so it still falls
Rick Reumann wrote:
Maybe I'm missing how the above would happen. How would passing in the
canceled parameter end up getting them access to a table? Oh wait, maybe
this is with regular Actions with just an execute? It's been so long
since I used a non Dispatch Action I'm not aware of the behavi
Hello again,
I'm running into a problem getting my /index.jsp to forward to a Clay
HTML page. The index.jsp page just contains the following:
When I try to hit it with the URL
http://localhost:8080/shale-clay-example/ I get a 404 saying that
default.jsp cannot be found. If I goto
http:
Rick you said:
>> I must still be missing something.. what is the big deal here? If you don't
>> code to handle the
cancel nothing serious can happen, and if you do code for a cancel, what's the
worst case
scenario?
Yes, you are missing something :) If you don't code the cancel, then your
act
Rick,
I think my concern is valid. I am sorry you don't find this a "big deal" but I
wonder how many
sites actually use validation to make sure they defend against bad input, only
to find out I can
pass in a request paramter to simply skip their checking. I mean, that's a
pretty big deal in my
Frank W. Zammetti wrote:
Now, imagine a hacker wants to get to a completely different table in
the database (I suppose reading from a selected table would be a better
example, but I digress). To do so, they can pass in the canceled
parameter and whatever table name they want, assuming they c
Rick Reumann wrote:
Paul Benedict wrote:
The problem isn't that Struts allows the user to cancel an action, but
that EVERY action can be
cancelled.
I must still be missing something.. what is the big deal here? If you
don't code to handle the cancel nothing serious can happen, and if you
d
Paul Benedict wrote:
The problem isn't that Struts allows the user to cancel an action, but that
EVERY action can be
cancelled.
I must still be missing something.. what is the big deal here? If you
don't code to handle the cancel nothing serious can happen, and if you
do code for a cancel,
>> Arguably, by default you would want to say that all Actions are either
>> cancelable or not,
rather than having to set something on all mappings. Just my superficial
thinking about it though
:)
Agreed. That's why I recommend a property default with overrides
at the
level.
Better solution
Frank,
I am getting your emails delivered twice to the list today. Are you click happy
today? :) haha
Maybe mine are getting delivered twice; please tell me if so.
As for the bug/issue, I mainly use MappingDispatchAction and so there's no
reason to specifically
code for isCancelled() BUT I
Paul Benedict wrote:
Hmm, maybe I don't understand the problem... as I understand it, cancel
essentially has no
effect on anything in Struts unless you manually check for it and act
accordingly, correct? Or
are you saying that everything happens *except* validation?
Correct. Cancel has no ef
> Hmm, maybe I don't understand the problem... as I understand it, cancel
> essentially has no
effect on anything in Struts unless you manually check for it and act
accordingly, correct? Or
are you saying that everything happens *except* validation?
Correct. Cancel has no effect unless you reli
Paul Benedict wrote:
The problem isn't that Struts allows the user to cancel an action, but that
EVERY action can be
cancelled.
Understood...
This problem is heavily felt by GET requests because URLs are easy to mangle...
and parameters can
be added ad-hoc. I can take any action I use for
Frank,
Good response. Let me add some to it:
The problem isn't that Struts allows the user to cancel an action, but that
EVERY action can be
cancelled.
This problem is heavily felt by GET requests because URLs are easy to mangle...
and parameters can
be added ad-hoc. I can take any action I u
Hmm... is it truly a security hole? That's an interesting question...
I'm not so sure I would consider it one because in general you can play
a lot of games with a Struts-based app (and really just about any
webapp, although JSF is nice in this regard in that, AFAIK, everything
is POST-based)
Niall Pemberton wrote:
Must have missed those comments, anyway not to worry, I take your word for
it so +1 from me for your ritual flogging :-)
LOL :)
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mai
I want to correct a statement here. What can be passed in is
"org.apache.struts.taglib.html.CANCEL" or
"org.apache.struts.taglib.html.CANCEL.X" which will set
the cancelled flag.
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam prote
I'd like to know if this is considered a security hole to other people besides
me. I saved an
email off this group back in July and finally went back to investigate it:
It seems that every action in Struts is cancellable, which means for Struts
actions that do not
religiously check for isCancell
Must have missed those comments, anyway not to worry, I take your word for
it so +1 from me for your ritual flogging :-)
Niall
- Original Message -
From: "Frank W. Zammetti" <[EMAIL PROTECTED]>
Sent: Saturday, January 21, 2006 9:50 PM
> Yeah, I suspected that was the case (and sent a f
Thank you very much Paul. It was a big time save for me.
Regards
Hakan
Paul Benedict <[EMAIL PROTECTED]>
20/01/2006 04:07 PM
Please respond to
"Struts Users Mailing List"
To
Struts Users Mailing List
cc
Subject
Re: error messages doesn't appear if validate is called programaticall
Yeah, I suspected that was the case (and sent a follow-up to Craig
off-list saying as much). I have no doubt it's my fault, I'm just not
sure how yet :) I'll have to look over settings tonight.
With some of my past JSF comments though, I can never be sure :) Of
course, it that was the case,
ROFL
Niall
- Original Message -
From: "Jakota Dack" <[EMAIL PROTECTED]>
To:
Sent: Saturday, January 21, 2006 9:06 PM
Subject: Re: submit button value vs displayed text
> > McGrady uses a processes that automatically makes gif buttons and is
both
> > capable of i18n and change of font
I doubt it - for some reason your messages add in your email address in the
reply to as well as the struts user (it did on this message, but I manually
removed it).
Niall
- Original Message -
From: "Frank W. Zammetti" <[EMAIL PROTECTED]>
Sent: Saturday, January 21, 2006 8:19 PM
> Is th
> McGrady uses a processes that automatically makes gif buttons and is both
> capable of i18n and change of font and color. He has a special taglib for
> doing
> that. Ask him and he might give it to you.
Might He? Why are you talking about yourself in the third person? Does that
creep out you
Is there a hidden message in the fact that you CC'd me on this Craig? :)
Frank
Craig McClanahan wrote:
On 1/20/06, Michael Jouravlev <[EMAIL PROTECTED]> wrote:
If all that JSF rendereres produce are divs and spans with proper ids,
then dressing up a page would be a weekend fun a-la Zen Garden
On 1/20/06, Michael Jouravlev <[EMAIL PROTECTED]> wrote:
>
>
> If all that JSF rendereres produce are divs and spans with proper ids,
> then dressing up a page would be a weekend fun a-la Zen Garden. Anyone
> from JSF team hears me? ;-
Building such renderers would be trivially easy, and woul
>From: "Frank W. Zammetti" <[EMAIL PROTECTED]>
>
> Nick Heudecker wrote:
> > All that said, I'd prefer if you don't use Wicket. I'd like to keep this
> > competitive advantage to myself. :)
>
> LOL, I like that answer! :)
>
Ya, I like that one too. As TBS would say, that's funny.
> --
>
Nick Heudecker wrote:
All that said, I'd prefer if you don't use Wicket. I'd like to keep this
competitive advantage to myself. :)
LOL, I like that answer! :)
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM: fzammetti
Yahoo: fzammetti
I figure I'm obligated to respond, since my comments were cited in the
original email. :)
I have to disagree with complaints about Wicket's complexity, but only
because I've been using it to build a product for the last few months.
Without heavy usage, I don't think I'd have the same positive opin
Checkout www.michaelmcgrady.com and click on the button ideas link. All the
code for each option is there. I would suggest the so-called "(new) LOOKUP
DISPATCH ACTION SOLUTION". With this solution internationalizing your
button is easy. McGrady uses a processes that automatically makes gif
butt
Thanks Rick!
super.validate(mapping, request); works just fine for me.
I am able to now use both the validation.xml as well as the ones coded
in my actionform's validate method. :-)
~raghu~
On 1/21/06, Rick Reumann <[EMAIL PROTECTED]> wrote:
> How are you certain the validation.xml isn't being c
34 matches
Mail list logo
