Does that deal with the submit button name thing?
d.
--- Jeromy Evans <[EMAIL PROTECTED]>
wrote:
> Dale Newfield wrote:
> > Don Brown wrote:
> >> Little known fact, but you can specify the method
> via:
> >>
> >> "?method:MY_METHOD_NAME"
> >>
> >> This code exists to support the method attribute
> on the submit tag,
> >> allowing you to submit the form to different
> methods based on what
> >> button is clicked.
> >
> > I wondered how the submit tag argument worked.
> > I would argue this is as big a security
> vulnerability as the
> > "action!method" capability. (As, for example, it
> can allow less
> > privileged users to access more privileged methods
> that the author
> > thought were protected via the url pattern by
> something like
> >
>
org.acegisecurity.intercept.web.FilterSecurityInterceptor.)
> Is there
> > any way to restrict which methods are valid there,
> or to turn this
> > capability off?
> >
> > -Dale
> I always use the following configuration to minimise
> the vulnerability::
>
> <action name="/home_*" method="do{1}">
>
> </action>
>
> With that setting, only methods with the prefix "do"
> in their name can
> be executed.
> ie. ?method:update calls doUpdate()
>
> cheers,
> Jeromy Evans
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
