You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Grish <gi...@hotmail.com> on 2007/08/01 03:57:39 UTC

Re: [S2] Parameterized File Downloading

Hmmm good point. So does this mean that the only secure way of having
downloads is to have specific actions for each download? Or is there a
better approach?


DNewfield wrote:
> 
> Grish wrote:
>> I studied the struts showcase sample of file downloading. I wanted to do
>> something similar but instead of setting the inputPath paremeter in
>> struts.xml I wanted to pass it in the url.
> 
> Sounds like you're opening a very large security hole here...
> 
> -Dale
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/-S2--Parameterized-File-Downloading-tf4191759.html#a11938299
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [S2] Parameterized File Downloading

Posted by Grish <gi...@hotmail.com>.

Ok, I finally see the error of my ways:

I originally defined my parameter like this:
<s:param name="inputPath" value="/images/bg_pattern.gif" />

when it should be like this:

<s:param name="inputPath" value="%{'/images/bg_pattern.gif'}" />

now the proper string is passed.
Thanks so much for the help!


DNewfield wrote:
> 
> Grish wrote:
>> <s:url id="downloadUrl" action="download" namespace="/filedownload">
>>   <s:param name="inputPath" value="/images/test.gif" />
>> </s:url>
>> <s:a href="%{downloadUrl}">Get image</s:a>
> 
> So does this generate a link relative to your webapp of 
> filedownload/download.action?inputPath=/images/test.gif
> 
> ?
> 
> ( note, ".action" could be ".do", ".html" or whatever you have that 
> extension set to, apparently even "".  (I may have to try that in my 
> app...) )
> 
> If so, then the problem is somewhere between the receipt of the request 
> and the handoff after the execute() method is run from the bean defined 
> as fileDownloadAction.  I leave it to you to trace through the process.
> Is the setter being called?  In the execute method is there a value?  Is 
> it using the class you think it's using?  You can specify a method 
> (other than the default execute) if you'd like to put your checks there.
> 
> -Dale
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/-S2--Parameterized-File-Downloading-tf4191759.html#a11976775
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [S2] Parameterized File Downloading

Posted by Dale Newfield <Da...@Newfield.org>.

Grish wrote:
> <s:url id="downloadUrl" action="download" namespace="/filedownload">
>   <s:param name="inputPath" value="/images/test.gif" />
> </s:url>
> <s:a href="%{downloadUrl}">Get image</s:a>

So does this generate a link relative to your webapp of 
filedownload/download.action?inputPath=/images/test.gif

?

( note, ".action" could be ".do", ".html" or whatever you have that 
extension set to, apparently even "".  (I may have to try that in my 
app...) )

If so, then the problem is somewhere between the receipt of the request 
and the handoff after the execute() method is run from the bean defined 
as fileDownloadAction.  I leave it to you to trace through the process.
Is the setter being called?  In the execute method is there a value?  Is 
it using the class you think it's using?  You can specify a method 
(other than the default execute) if you'd like to put your checks there.

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [S2] Parameterized File Downloading

Posted by Grish <gi...@hotmail.com>.

Good ideas! I try them out, my only problem now is that if i try to pass the
parameter via the link, I still get the following error:

Can not find a java.io.InputStream with the name [inputStream] in the
invocation stack. Check the  tag specified for this action.

this is my action:

<package name="filedownload" extends="struts-default"
namespace="/filedownload">

        <action name="download" class="fileDownloadAction" >
        	
            <result name="success" type="stream">
                image/gif
                inputStream
                filename="test.gif"
                4096
            </result>
        </action>

</package>

Same as in the struts 2 showcase example but I removed the set parameter for
the action.

Then I defined my link like so:

<s:url id="downloadUrl" action="download" namespace="/filedownload">
  <s:param name="inputPath" value="/images/test.gif" />
</s:url>
<s:a href="%{downloadUrl}">Get image</s:a>

I check the logs and I notice my inputPath parameter in my
fileDownloadAction is null. I have a setter for my inputPath parameter so I
don't understand why it's null or why I get this error.

Is there something wrong with my setup? If I do put a parameter for the
inputPath in my action definition like in the Struts 2 showcase example, it
works fine. Any ideas?



DNewfield wrote:
> 
> Grish wrote:
>> Hmmm good point. So does this mean that the only secure way of having
>> downloads is to have specific actions for each download? Or is there a
>> better approach?
> 
> I don't claim to know what the best approach is.  As long as your action 
> does sufficient validation of the specified input path (like checking 
> against a whitelist, or only allowing from certain directories (check 
> for ".." path segments!)), your approach may be OK.  I tend to have a 
> separate action for each "category" of stuff downloaded from my app 
> (along with category-specific validation).  Since I don't know your 
> requirements, I cannot know that that is applicable for you.
> 
> -Dale
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/-S2--Parameterized-File-Downloading-tf4191759.html#a11957463
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [S2] Parameterized File Downloading

Posted by Dale Newfield <Da...@Newfield.org>.

Grish wrote:
> Hmmm good point. So does this mean that the only secure way of having
> downloads is to have specific actions for each download? Or is there a
> better approach?

I don't claim to know what the best approach is.  As long as your action 
does sufficient validation of the specified input path (like checking 
against a whitelist, or only allowing from certain directories (check 
for ".." path segments!)), your approach may be OK.  I tend to have a 
separate action for each "category" of stuff downloaded from my app 
(along with category-specific validation).  Since I don't know your 
requirements, I cannot know that that is applicable for you.

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org