Could you elaborate please? Is this a Servlet model security problem,
one specific to Struts, or one that is only exposed by neglect in some
other area (which is what I suspect)? This is news to me. I've used path
mapping all my Java life. I've also posted numerous path-mapping
strategies on this list (as have others) and never have encountered any
warnings like this.
Thanks,
Erik
Christian Bollmeyer wrote:
On Friday 18 February 2005 19:00, Erik Weber wrote:
Learn to use (Servlet) path mapping ("/something/*") instead of
extension mapping ("*.something").
Hm. Extension mapping is typically safe, while path-prefix
mapping may be *not*. The details are laid out in
Bergsten's 'Java Server Pages' 2nd Edition, p. 262ff.
(O'Reilly, 2002), dealing with the processPath()
implementation of Struts 1.0.2. Well, though this
might have been changed in the meantime (can
anybody here confirm?), we at least strictly stick
to extension mapping (not always *.do :-) just
for security reasons.
Erik
-- Chris.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
