On Fri, Oct 01, 2004 at 04:17:59PM -0500, [EMAIL PROTECTED] wrote:
: > So for example I would have
: > http://ndsc.eng.vzwcorp.com/index.jsp?mainFrame=blahblah.jsp
:
: What you're doing seems like a great way to allow anyone to crash
: your app, or at least use up a lot of memory. Think what happens if
: someone sends you a url that looks like this:
:
: http://ndsc.eng.vzwcorp.com/index.jsp?mainFrame=index.jsp
True; it seems the OP would do well to have index.jsp track permitted
values. "Never trust user input" holds especially true here.
Also, to the OP: how are you calling the target JSP? If you're doing an
explicit forward() call, there'd be no problem to keep the params the
same. Put another way, if this is the desired query string for the
target JSP:
a=b&c=d
and it's requested as
.../index.jsp?mainFrame=somefile.jsp&a=b&c=d
then what would be the problem with somefile.jsp seeing the "mainFrame"
param?
-QM
--
software -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
