gt;
> -David
>
> -Original Message-
> From: Paweł Wielgus [mailto:poulw...@gmail.com]
> Sent: Tuesday, December 21, 2010 5:09 AM
> To: Struts Users Mailing List
> Subject: Re: Parameter manipulation
>
> Hi All,
> adding just one note to what Marcus already said, will You
fiddling 2) Mandating the wise
>> practice of validating all incoming data.
>>
>> Now if I could only find a few spare cycles to work on it...
>>
>> -David
>>
>> -Original Message-
>> From: Chris Pratt [mailto:thechrispr...@gmail.com]
>> S
tice of
>> validating all incoming data.
>>
>> Now if I could only find a few spare cycles to work on it...
>>
>> -David
>>
>> -Original Message-
>> From: Chris Pratt [mailto:thechrispr...@gmail.com]
>> Sent: Friday, December 17, 2010 1:08 P
riday, December 17, 2010 1:08 PM
To: Struts Users Mailing List
Subject: Re: Parameter manipulation
Maybe if the OP moves the bean creation out of the prepare() method (so the
bean isn't available during parameter injection) and then retrieves it at the
start of validate() or execute() that m
ctice of
validating all incoming data.
Now if I could only find a few spare cycles to work on it...
-David
-Original Message-
From: Chris Pratt [mailto:thechrispr...@gmail.com]
Sent: Friday, December 17, 2010 1:08 PM
To: Struts Users Mailing List
Subject: Re: Parameter manipulation
May
/17 Altenhof, David Aron :
> >> >> > The model objects are initialized in prepare() ... other techniques
> >> just
> >> >> aren't as practical for our application.
> >> >> >
> >> >> > I'm just going to keep doi
you supposed (expose only field with
>> > >> write accessors).
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> 2010/12/17 Altenhof, David Aron :
>> > >> > The model objects are initialized in
> >>
> > >> 2010/12/17 Altenhof, David Aron :
> > >> > The model objects are initialized in prepare() ... other techniques
> > just
> > >> aren't as practical for our application.
> > >> >
> > >> > I'm just going to keep do
ts are initialized in prepare() ... other techniques
>> just
>> >> aren't as practical for our application.
>> >> >
>> >> > I'm just going to keep doing lots of whitelisting with
>> >> ParameterNameAware...
>> >
f, David Aron :
> >> > The model objects are initialized in prepare() ... other techniques
> just
> >> aren't as practical for our application.
> >> >
> >> > I'm just going to keep doing lots of whitelisting with
> >> ParameterNameAware...
>
gt;> aren't as practical for our application.
>> >
>> > I'm just going to keep doing lots of whitelisting with
>> ParameterNameAware...
>> >
>> > -David
>> >
>> >
>> >
>> > -Original Message-
>> > From:
> >
> >
> > -Original Message-
> > From: Steven Yang [mailto:kenshin...@gmail.com]
> > Sent: Friday, December 17, 2010 1:10 AM
> > To: Struts Users Mailing List
> > Subject: Re: Parameter manipulation
> >
> > is your user object initialized
gt;
>
>
> -Original Message-
> From: Steven Yang [mailto:kenshin...@gmail.com]
> Sent: Friday, December 17, 2010 1:10 AM
> To: Struts Users Mailing List
> Subject: Re: Parameter manipulation
>
> is your user object initialized when the param interceptor is run?
>
> Sent: Friday, December 17, 2010 1:10 AM
> To: Struts Users Mailing List
> Subject: Re: Parameter manipulation
>
> is your user object initialized when the param interceptor is run?
>
> here i might be wrong, but what i know is if your object is initialized
> then Struts o
ge-
> From: Steven Yang [mailto:kenshin...@gmail.com]
> Sent: Friday, December 17, 2010 1:10 AM
> To: Struts Users Mailing List
> Subject: Re: Parameter manipulation
>
> is your user object initialized when the param interceptor is run?
>
> here i might be wrong, but what i kn
nt: Friday, December 17, 2010 1:10 AM
To: Struts Users Mailing List
Subject: Re: Parameter manipulation
is your user object initialized when the param interceptor is run?
here i might be wrong, but what i know is if your object is initialized then
Struts or OGNL will call getUser().setEmail(...)
, i might be wrong on the behavior
On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron
wrote:
> I've been getting more and more concerned about the possibility of
> parameter manipulation attacks with Struts2. I've started doing strict
> whitelists using the ParameterNameAware
cessed
through form parameters.
(*Chris*)
On Wed, Dec 15, 2010 at 8:39 AM, Altenhof, David Aron wrote:
> I've been getting more and more concerned about the possibility of
> parameter manipulation attacks with Struts2. I've started doing strict
> whitelists using the Para
I've been getting more and more concerned about the possibility of parameter
manipulation attacks with Struts2. I've started doing strict whitelists using
the ParameterNameAware interface on all of my forms pages. However, today I
tried to code a "display-only" page that sho
19 matches
Mail list logo
