Paul Benedict wrote:
The problem isn't that Struts allows the user to cancel an action, but that
EVERY action can be
cancelled.
I must still be missing something.. what is the big deal here? If you
don't code to handle the cancel nothing serious can happen, and if you
do code for a cancel, what's the worst case scenario? - Since you are
doing a "cancel" you would just typically be forwarded or redirected
back to some input page or some other harmless page.
This problem is heavily felt by GET requests because URLs are easy to mangle...
and parameters can
be added ad-hoc. I can take any action I use for a GET, add the CANCEL
parameter to it, and then
bypass all the validation I worked very hard to code :-)
What kind of form validation are you doing on a cancel request that is
such an issue?
To me, this is a security concern and I
think should be given a fix.
Can you elaborate a bit more on a real life example that could
realistically cause a security threat?
(As a side note, I never use the cancel button anyway. I always use
asubmit or regular button with some javascript setting a 'canceled'
dispatch param for my cancel buttons. I had a reason at some point why I
liked doing that, although, I forgot now what the exact reason was:)
--
Rick
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
