You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Dave Newton (JIRA)" <ji...@apache.org> on 2010/12/01 23:08:14 UTC
[jira] Commented: (WW-3537) XSRF flaw in
struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java
[ https://issues.apache.org/jira/browse/WW-3537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12965872#action_12965872 ]
Dave Newton commented on WW-3537:
---------------------------------
Isn't this just the old issue that culminated in dynamic method invocation being false by default?
(I guess I'm not sure how this is XSRF/request-type related other than you could validate the type, but I don't see how that prevents XSRF--isn't that explicitly stated on the reference you cite?)
> XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java
> ---------------------------------------------------------------------------------------------------
>
> Key: WW-3537
> URL: https://issues.apache.org/jira/browse/WW-3537
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - REST
> Affects Versions: 2.2.1
> Reporter: Stefan Magnus Landrø
> Assignee: Lukasz Lenart
> Fix For: 2.2.1.1
>
>
> I believe I've just found a major XSFR flaw in the REST plugin's RestActionMapper.
> See http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 for more details concerning XSRF.
> Manually performing a GET request on a create() method using the name!method convention, the create() method actually gets invoked (btw, the model is also populated).
> As far as I can see, ANY of the operations with side effects (create, update, destroy) can be invoked this way (using a GET request)
> The code in RestActionMapper seems to totally ignore the HTTP-method used:
> // handle "name!method" convention.
> String name = mapping.getName();
> int exclamation = name.lastIndexOf("!");
> if (exclamation != -1) {
> mapping.setName(name.substring(0, exclamation));
> mapping.setMethod(name.substring(exclamation + 1));
> }
> Most other REST frameworks use annotations like @GET/@POST or similar mechanisms on the controller methods in order to make sure that the correct method is used, otherwise yielding a 400 BAD REQUEST or similar.
> Has this issue been addressed before?
> In the current state, I would not recommend using the REST plugin for production use.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.