Re: data injection attack

2012-07-04 Thread J. Garcia
2 14:49 > To: Struts Users Mailing List; lukasz.len...@gmail.com > Subject: Re: data injection attack > > My action would have: > > public void setMyBean( MyBean myBean) {...} > > and I would like to avoid an injection on myBean.field3. This field could > be the ow

RE: data injection attack

2012-07-04 Thread Marcus Bond
...@gmail.com] Sent: 04 July 2012 14:49 To: Struts Users Mailing List; lukasz.len...@gmail.com Subject: Re: data injection attack My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed

Re: data injection attack

2012-07-04 Thread J. Garcia
Implementing the ParameterNameAware interface with white/black list seems the best solution. Thanks, J. On Wed, Jul 4, 2012 at 3:51 PM, Dave Newton wrote: > Then whitelist/blacklist. > > Or don't expose sensitive data directly to the user. > > Dave > > (pardon brevity, typos, and top-quoting; on

Re: data injection attack

2012-07-04 Thread Dave Newton
Then whitelist/blacklist. Or don't expose sensitive data directly to the user. Dave (pardon brevity, typos, and top-quoting; on cell) On Jul 4, 2012 8:49 AM, "J. Garcia" wrote: > My action would have: > > public void setMyBean( MyBean myBean) {...} > > and I would like to avoid an injection on

Re: data injection attack

2012-07-04 Thread J. Garcia
My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart wrote: > Another way is to use AnnotationParameterFilterIntereptor (name > cont

Re: data injection attack

2012-07-04 Thread Łukasz Lenart
Another way is to use AnnotationParameterFilterIntereptor (name contains typo) and @Allowed and @Blocked annotations Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ --

Re: data injection attack

2012-07-04 Thread Łukasz Lenart
You can always implement ParameterNameAware interface and boolean acceptableParameterName(String parameterName); Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ --

Re: data injection attack

2012-07-04 Thread Miguel Almeida
Lukas: that's not always viable though. You might need a setter for your model object elsewhere, but don't want that action to set that property. On Wed, 2012-07-04 at 14:57 +0200, Lukasz Lenart wrote: > By removing setter for it ? > > > Regards >

Re: data injection attack

2012-07-04 Thread Lukasz Lenart
By removing setter for it ? Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2012/7/4 J. Garcia : > An interesting article that I found: > > http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/ > > In struts