You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Grish <gi...@hotmail.com> on 2007/08/01 03:57:39 UTC
Re: [S2] Parameterized File Downloading
Hmmm good point. So does this mean that the only secure way of having
downloads is to have specific actions for each download? Or is there a
better approach?
DNewfield wrote:
>
> Grish wrote:
>> I studied the struts showcase sample of file downloading. I wanted to do
>> something similar but instead of setting the inputPath paremeter in
>> struts.xml I wanted to pass it in the url.
>
> Sounds like you're opening a very large security hole here...
>
> -Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/-S2--Parameterized-File-Downloading-tf4191759.html#a11938299
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] Parameterized File Downloading
Posted by Grish <gi...@hotmail.com>.
Ok, I finally see the error of my ways:
I originally defined my parameter like this:
<s:param name="inputPath" value="/images/bg_pattern.gif" />
when it should be like this:
<s:param name="inputPath" value="%{'/images/bg_pattern.gif'}" />
now the proper string is passed.
Thanks so much for the help!
DNewfield wrote:
>
> Grish wrote:
>> <s:url id="downloadUrl" action="download" namespace="/filedownload">
>> <s:param name="inputPath" value="/images/test.gif" />
>> </s:url>
>> <s:a href="%{downloadUrl}">Get image</s:a>
>
> So does this generate a link relative to your webapp of
> filedownload/download.action?inputPath=/images/test.gif
>
> ?
>
> ( note, ".action" could be ".do", ".html" or whatever you have that
> extension set to, apparently even "". (I may have to try that in my
> app...) )
>
> If so, then the problem is somewhere between the receipt of the request
> and the handoff after the execute() method is run from the bean defined
> as fileDownloadAction. I leave it to you to trace through the process.
> Is the setter being called? In the execute method is there a value? Is
> it using the class you think it's using? You can specify a method
> (other than the default execute) if you'd like to put your checks there.
>
> -Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/-S2--Parameterized-File-Downloading-tf4191759.html#a11976775
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] Parameterized File Downloading
Posted by Dale Newfield <Da...@Newfield.org>.
Grish wrote:
> <s:url id="downloadUrl" action="download" namespace="/filedownload">
> <s:param name="inputPath" value="/images/test.gif" />
> </s:url>
> <s:a href="%{downloadUrl}">Get image</s:a>
So does this generate a link relative to your webapp of
filedownload/download.action?inputPath=/images/test.gif
?
( note, ".action" could be ".do", ".html" or whatever you have that
extension set to, apparently even "". (I may have to try that in my
app...) )
If so, then the problem is somewhere between the receipt of the request
and the handoff after the execute() method is run from the bean defined
as fileDownloadAction. I leave it to you to trace through the process.
Is the setter being called? In the execute method is there a value? Is
it using the class you think it's using? You can specify a method
(other than the default execute) if you'd like to put your checks there.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] Parameterized File Downloading
Posted by Grish <gi...@hotmail.com>.
Good ideas! I try them out, my only problem now is that if i try to pass the
parameter via the link, I still get the following error:
Can not find a java.io.InputStream with the name [inputStream] in the
invocation stack. Check the tag specified for this action.
this is my action:
<package name="filedownload" extends="struts-default"
namespace="/filedownload">
<action name="download" class="fileDownloadAction" >
<result name="success" type="stream">
image/gif
inputStream
filename="test.gif"
4096
</result>
</action>
</package>
Same as in the struts 2 showcase example but I removed the set parameter for
the action.
Then I defined my link like so:
<s:url id="downloadUrl" action="download" namespace="/filedownload">
<s:param name="inputPath" value="/images/test.gif" />
</s:url>
<s:a href="%{downloadUrl}">Get image</s:a>
I check the logs and I notice my inputPath parameter in my
fileDownloadAction is null. I have a setter for my inputPath parameter so I
don't understand why it's null or why I get this error.
Is there something wrong with my setup? If I do put a parameter for the
inputPath in my action definition like in the Struts 2 showcase example, it
works fine. Any ideas?
DNewfield wrote:
>
> Grish wrote:
>> Hmmm good point. So does this mean that the only secure way of having
>> downloads is to have specific actions for each download? Or is there a
>> better approach?
>
> I don't claim to know what the best approach is. As long as your action
> does sufficient validation of the specified input path (like checking
> against a whitelist, or only allowing from certain directories (check
> for ".." path segments!)), your approach may be OK. I tend to have a
> separate action for each "category" of stuff downloaded from my app
> (along with category-specific validation). Since I don't know your
> requirements, I cannot know that that is applicable for you.
>
> -Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/-S2--Parameterized-File-Downloading-tf4191759.html#a11957463
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] Parameterized File Downloading
Posted by Dale Newfield <Da...@Newfield.org>.
Grish wrote:
> Hmmm good point. So does this mean that the only secure way of having
> downloads is to have specific actions for each download? Or is there a
> better approach?
I don't claim to know what the best approach is. As long as your action
does sufficient validation of the specified input path (like checking
against a whitelist, or only allowing from certain directories (check
for ".." path segments!)), your approach may be OK. I tend to have a
separate action for each "category" of stuff downloaded from my app
(along with category-specific validation). Since I don't know your
requirements, I cannot know that that is applicable for you.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org