You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Christian Cryder <ch...@granitepeaks.com> on 2004/03/01 22:47:09 UTC

Question about HttpServletRequest.getParameterValues()

Hey folks, I've just noticed something interesting...

The 2.3 HttpServletRequest interface provides a setAttribute() method to
change the values of a given attribute. It does NOT however provide a
similar setParameter() method, allowing you to programatically modify the
values that accompany the request - I assume this means that we shouldn't be
able to change these values.

What I've discovered however, is that if I _can_ modify parameter values by
calling getParameterValues() (which returns String[]) and set the values
that way. For instance:

    Enumeration enum = req.getParameterNames();
    while (enum.hasMoreElements()) {
        String key =(String) enum.nextElement();
        String vals[] = req.getParameterValues(key);
        for (int i=0, max=vals.length; i<max; i++) {
            if (key.equalsIgnoreCase("password")) vals[i] = "********";
            logger.info("...key:"+key+" value:"+vals[i]);
        }
    }

This has the surprising (to me anyway) effect of actually _modifying_ the
underlying value for the particular key. Is this simply an implementation
oversight? I had assumed that the method would be returning a copy of the
underlying data structure, rather than a reference to the structure itself.

This isn't really a problem for me, but I thought it was interesting and I'm
curious to know if this was intentional or not. Anyone care to comment?

Thanks much,
Christian
----------------------------------------------
Christian Cryder
Internet Architect, ATMReports.com
Project Chair, BarracudaMVC - http://barracudamvc.org
----------------------------------------------
"Coffee? I could quit anytime, just not today"


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: Question about HttpServletRequest.getParameterValues()

Posted by Jan Luehe <Ja...@Sun.COM>.

Remy Maucherat wrote:
> Jan Luehe wrote:
> 
>> This is a bug. The String[] returned by req.getParameterValues() should
>> have been a clone.
>>
>> I just committed a fix.
> 
> 
> I'd like to point out that this "bug" is not worth any performance drop. 
> You should move those clones to the case where there's a security manager.

Fair enough.

Jan



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: Question about HttpServletRequest.getParameterValues()

Posted by Remy Maucherat <re...@apache.org>.

Jan Luehe wrote:
> This is a bug. The String[] returned by req.getParameterValues() should
> have been a clone.
> 
> I just committed a fix.

I'd like to point out that this "bug" is not worth any performance drop. 
You should move those clones to the case where there's a security manager.

Rémy

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: Question about HttpServletRequest.getParameterValues()

Posted by Jan Luehe <Ja...@Sun.COM>.

Hi Christian,

> The 2.3 HttpServletRequest interface provides a setAttribute() method to
> change the values of a given attribute. It does NOT however provide a
> similar setParameter() method, allowing you to programatically modify the
> values that accompany the request - I assume this means that we shouldn't be
> able to change these values.
> 
> What I've discovered however, is that if I _can_ modify parameter values by
> calling getParameterValues() (which returns String[]) and set the values
> that way. For instance:
> 
>     Enumeration enum = req.getParameterNames();
>     while (enum.hasMoreElements()) {
>         String key =(String) enum.nextElement();
>         String vals[] = req.getParameterValues(key);
>         for (int i=0, max=vals.length; i<max; i++) {
>             if (key.equalsIgnoreCase("password")) vals[i] = "********";
>             logger.info("...key:"+key+" value:"+vals[i]);
>         }
>     }
> 
> This has the surprising (to me anyway) effect of actually _modifying_ the
> underlying value for the particular key. Is this simply an implementation
> oversight? I had assumed that the method would be returning a copy of the
> underlying data structure, rather than a reference to the structure itself.
> 
> This isn't really a problem for me, but I thought it was interesting and I'm
> curious to know if this was intentional or not. Anyone care to comment?

This is a bug. The String[] returned by req.getParameterValues() should
have been a clone.

I just committed a fix.

Thanks,

Jan


> Thanks much,
> Christian
> ----------------------------------------------
> Christian Cryder
> Internet Architect, ATMReports.com
> Project Chair, BarracudaMVC - http://barracudamvc.org
> ----------------------------------------------
> "Coffee? I could quit anytime, just not today"
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org