You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Dave Newton (JIRA)" <ji...@apache.org> on 2009/01/08 23:44:45 UTC
[jira] Commented: (WW-2949) Passing paremeter value from Action to
Action requires a security vulnerability
[ https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45453#action_45453 ]
Dave Newton commented on WW-2949:
---------------------------------
Keeping it in session is server-side, and a well-known mechanism.
I guess I'd need to see a use-case, or an example of what you'd want this to look like. Once the form is rendered the action that rendered it is gone--without thinking about it in depth it seems like any solution would use one of the existing mechanisms for keeping the data anyway, so I'm not really sure what you're proposing.
> Passing paremeter value from Action to Action requires a security vulnerability
> -------------------------------------------------------------------------------
>
> Key: WW-2949
> URL: https://issues.apache.org/struts/browse/WW-2949
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
> Affects Versions: 2.1.6
> Environment: All
> Reporter: Lee Clemens
> Priority: Minor
>
> To pass parameter value from Action->form->Action, need to use URL parameter or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be manipulated via a Firefox plugin, etc and the URL can be altered directly
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.