Hmm... is it truly a security hole? That's an interesting question...
I'm not so sure I would consider it one because in general you can play
a lot of games with a Struts-based app (and really just about any
webapp, although JSF is nice in this regard in that, AFAIK, everything
is POST-based) by fiddling with URLs without even considering the cancel
ability at all.
I *would* however contend that this is something the framework could
reasonably be expected to handle. It might not be an especially big
deal that it doesn't now, but it could make for a nice enhancement none
the less.
Ted Husted points out a suggested way of dealing with this in an Action:
forward = mapping.findForward("cancel");
if ((forward!=null) && (isCancelled(request))) {
// Post token error message
ActionErrors errors = new ActionErrors();
errors.add(ActionErrors.GLOBAL_ERROR, new ActionError("error.cancel"));
saveErrors(request,errors);
return (forward);
}
(Referenced from here: http://husted.com/struts/tips/014.html)
You could add this to the RP without much trouble, or in the 1.3 world
just modify the RP chain. I suppose you would logically want to do it
before the form is populated, probably as early on as possible. It
would just be a case of documenting the need to specify a forward named
"cancel" for an app, either globally or per-mapping (IIRC, Struts will
always use a matching local forward before looking for a global forward
with the same name, so you have the ability to override the global).
The default if no "cancel" forward is found would be to continue the
request, which would maintain compatibility with how it works now.
Anyone else?
Frank
Paul Benedict wrote:
I'd like to know if this is considered a security hole to other people besides
me. I saved an
email off this group back in July and finally went back to investigate it:
It seems that every action in Struts is cancellable, which means for Struts
actions that do not
religiously check for isCancelled(), a hacker can bypass validation simply by
passing in the
cancel key ("org.apache.struts.action.CANCEL"). This seems entirely possible
through Jakarta
HttpClient, or just modifying the URL when possible.
So, in my opinion, it doesn't seem like data from the form is every truely
reliable without the
isCancelled() check.
I propose the Controller address this somehow. Maybe by using <set-property>
there can be an
attribute set at the action to allow validation to be legitimately skipped or
make this
configurable at the <controller> level.
Any ideas?
Paul
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
.
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM: fzammetti
Yahoo: fzammetti
MSN: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
