Brian Relph wrote:
Here is a better example of what i am concerned about ...
I send emails in my application, and i use spring to configure a
JavaMailSender - this has a getter/setter for the"from" email address ... as
well, i use a singleton bean for this object (this is the spring default
nowadays), so a malicious user could send in a form parameter for
mailSender.fromEmail, and then every email that my application sends would
be from whatever string the submitted ...
That would require a getMailSender() on the action, wouldn't it? I'd
strongly suggest not having getters for 'sensitive' internals like that :-)
You might also want to consider breaking your action into two pieces:
the action that handles exposing data to pages / reading input from
users, and a 'service' class which holds references to DAOs and utility
classes like JavaMailSender. That could greatly reduce the surface area
of what is addressable through the action.
L.
I am implementing the ParameterNameAware interface in struts 2.0.11, and am
checking doing parameterName.startsWith("mailSender") ? false : true; --
this is returning false, however, the value is still being set on my object,
am i doing something wrong here?
On Thu, Feb 28, 2008 at 10:35 AM, Dave Newton <[EMAIL PROTECTED]> wrote:
--- Brian Relph <[EMAIL PROTECTED]> wrote:
So i guess this is a legitimate security concern. Is there a
cleaner way to do this? Is there annotations support for it?
Not that I'm aware of.
Note that setting a DAO-style class with a string would most likely end in
an
exception.
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
