You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christian Cryder <ch...@granitepeaks.com> on 2004/03/01 22:47:09 UTC
Question about HttpServletRequest.getParameterValues()
Hey folks, I've just noticed something interesting...
The 2.3 HttpServletRequest interface provides a setAttribute() method to
change the values of a given attribute. It does NOT however provide a
similar setParameter() method, allowing you to programatically modify the
values that accompany the request - I assume this means that we shouldn't be
able to change these values.
What I've discovered however, is that if I _can_ modify parameter values by
calling getParameterValues() (which returns String[]) and set the values
that way. For instance:
Enumeration enum = req.getParameterNames();
while (enum.hasMoreElements()) {
String key =(String) enum.nextElement();
String vals[] = req.getParameterValues(key);
for (int i=0, max=vals.length; i<max; i++) {
if (key.equalsIgnoreCase("password")) vals[i] = "********";
logger.info("...key:"+key+" value:"+vals[i]);
}
}
This has the surprising (to me anyway) effect of actually _modifying_ the
underlying value for the particular key. Is this simply an implementation
oversight? I had assumed that the method would be returning a copy of the
underlying data structure, rather than a reference to the structure itself.
This isn't really a problem for me, but I thought it was interesting and I'm
curious to know if this was intentional or not. Anyone care to comment?
Thanks much,
Christian
----------------------------------------------
Christian Cryder
Internet Architect, ATMReports.com
Project Chair, BarracudaMVC - http://barracudamvc.org
----------------------------------------------
"Coffee? I could quit anytime, just not today"
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: Question about HttpServletRequest.getParameterValues()
Posted by Jan Luehe <Ja...@Sun.COM>.
Remy Maucherat wrote:
> Jan Luehe wrote:
>
>> This is a bug. The String[] returned by req.getParameterValues() should
>> have been a clone.
>>
>> I just committed a fix.
>
>
> I'd like to point out that this "bug" is not worth any performance drop.
> You should move those clones to the case where there's a security manager.
Fair enough.
Jan
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: Question about HttpServletRequest.getParameterValues()
Posted by Remy Maucherat <re...@apache.org>.
Jan Luehe wrote:
> This is a bug. The String[] returned by req.getParameterValues() should
> have been a clone.
>
> I just committed a fix.
I'd like to point out that this "bug" is not worth any performance drop.
You should move those clones to the case where there's a security manager.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: Question about HttpServletRequest.getParameterValues()
Posted by Jan Luehe <Ja...@Sun.COM>.
Hi Christian,
> The 2.3 HttpServletRequest interface provides a setAttribute() method to
> change the values of a given attribute. It does NOT however provide a
> similar setParameter() method, allowing you to programatically modify the
> values that accompany the request - I assume this means that we shouldn't be
> able to change these values.
>
> What I've discovered however, is that if I _can_ modify parameter values by
> calling getParameterValues() (which returns String[]) and set the values
> that way. For instance:
>
> Enumeration enum = req.getParameterNames();
> while (enum.hasMoreElements()) {
> String key =(String) enum.nextElement();
> String vals[] = req.getParameterValues(key);
> for (int i=0, max=vals.length; i<max; i++) {
> if (key.equalsIgnoreCase("password")) vals[i] = "********";
> logger.info("...key:"+key+" value:"+vals[i]);
> }
> }
>
> This has the surprising (to me anyway) effect of actually _modifying_ the
> underlying value for the particular key. Is this simply an implementation
> oversight? I had assumed that the method would be returning a copy of the
> underlying data structure, rather than a reference to the structure itself.
>
> This isn't really a problem for me, but I thought it was interesting and I'm
> curious to know if this was intentional or not. Anyone care to comment?
This is a bug. The String[] returned by req.getParameterValues() should
have been a clone.
I just committed a fix.
Thanks,
Jan
> Thanks much,
> Christian
> ----------------------------------------------
> Christian Cryder
> Internet Architect, ATMReports.com
> Project Chair, BarracudaMVC - http://barracudamvc.org
> ----------------------------------------------
> "Coffee? I could quit anytime, just not today"
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org