You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by bu...@apache.org on 2005/01/27 11:59:39 UTC
DO NOT REPLY [Bug 33268] New: -
enhance validator to be also able to validate request parameters/headers
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33268>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=33268
Summary: enhance validator to be also able to validate request
parameters/headers
Product: Struts
Version: 1.2.4
Platform: PC
URL: http://struts.apache.org/userGuide/dev_validator.html
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Validator Framework
AssignedTo: dev@struts.apache.org
ReportedBy: hauser@acm.org
an important application programming security principle is to validate ALL
inputs (owasp.org).
request.getParameter() and request.getHeader(), getCookies(), getAttribute() may
bring many more values into an application than the validator.xml is capable to
validate.
--------------------
RFE: provide a way to also validate header/parameter/attribute fields
(beyond the maxFileSize controller that hopfully is applied also to them)
----------------
see also bug 27062 and bug 33087
P.S.: One might say that using any of those methods above is "bypassing" the
org.apache.struts.validator.ValidatorForm concept. If we want to avoid that
wouldn't it be the right approach according to the information-hiding principle
to remove the HttpServletRequest from the
org.apache.struts.action.Action.execute() method signature?
Probably, there would then be the need for a struts-controlled additional object
allowing validated access to cookies, etc.?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org