Here is a better example of what i am concerned about ...
I send emails in my application, and i use spring to configure a
JavaMailSender - this has a getter/setter for the"from" email address ... as
well, i use a singleton bean for this object (this is the spring default
nowadays), so a malicious user could send in a form parameter for
mailSender.fromEmail, and then every email that my application sends would
be from whatever string the submitted ...
I am implementing the ParameterNameAware interface in struts 2.0.11, and am
checking doing parameterName.startsWith("mailSender") ? false : true; --
this is returning false, however, the value is still being set on my object,
am i doing something wrong here?
On Thu, Feb 28, 2008 at 10:35 AM, Dave Newton <[EMAIL PROTECTED]> wrote:
> --- Brian Relph <[EMAIL PROTECTED]> wrote:
> > So i guess this is a legitimate security concern. Is there a
> > cleaner way to do this? Is there annotations support for it?
>
> Not that I'm aware of.
>
> Note that setting a DAO-style class with a string would most likely end in
> an
> exception.
>
> Dave
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Brian
