Tehmina Beg wrote:
Hi, in the older versions 1.0 - 1.2.8 (i think), there was a security issue with the cancel key request parameter being able to be spoofed.
You're correct, the fix for this went into 1.2.9 [1]. For details of the problem and its impact, see the original bug report [2] and the discussion threads referenced there.
I'm not sure I understand how this works, so please correct me if i'm wrong. Say you have a page with a single field and submit, if you set the cancel request parameter in the URL to true, does it mean that you can still submit user input? Then since the Action Form's validate() method is bypassed the user input would still go straight to the Action to carry out whatever business ops?
Exactly. If the action doesn't check for the 'canceled' condition (as it reasonably wouldn't unless the developer had intended to allow cancellation), the action will execute as if validation had succeeded, even though it was never run.
I also didn't really understand is that in later versions there was an attribute 'cancellable' which determines whether or not an action is allowed to be cancelled. If cancellable is set to true is it still possible to still spoof the parameter and enter user input to be carried out without validation?
The cancellable property was added so that it would not be possible to cancel a request (i.e. spoof a cancel) unless the developer had explicitly configured the action to be cancellable. So, cancel spoofs against actions which aren't configured to be cancellable wont work. If you *do* so configure the action (by setting cancellable to true), the onus is on you to ensure you check for cancellation before doing anything 'unsafe' with the received input.
L. [1] http://struts.apache.org/1.x/userGuide/release-notes-1_2_9.html [2] http://issues.apache.org/bugzilla/show_bug.cgi?id=38374 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
