You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by bu...@apache.org on 2005/01/27 11:59:39 UTC

DO NOT REPLY [Bug 33268] New: - enhance validator to be also able to validate request parameters/headers

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33268>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=33268

           Summary: enhance validator to be also able to validate request
                    parameters/headers
           Product: Struts
           Version: 1.2.4
          Platform: PC
               URL: http://struts.apache.org/userGuide/dev_validator.html
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Validator Framework
        AssignedTo: dev@struts.apache.org
        ReportedBy: hauser@acm.org


an important application programming security principle is to validate ALL
inputs (owasp.org). 
request.getParameter() and request.getHeader(), getCookies(), getAttribute() may
bring many more values into an application than the validator.xml is capable to
validate.

--------------------
RFE: provide a way to also validate header/parameter/attribute fields 
(beyond the maxFileSize controller that hopfully is applied also to them)
----------------

see also bug 27062 and bug 33087

P.S.: One might say that using any of those methods above is "bypassing" the
org.apache.struts.validator.ValidatorForm concept. If we want to avoid that
wouldn't it be the right approach according to the information-hiding principle
to remove the HttpServletRequest from the
org.apache.struts.action.Action.execute() method signature?
Probably, there would then be the need for a struts-controlled additional object
allowing validated access to cookies, etc.?

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org