You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2015/10/06 08:28:33 UTC
Secure parameters
Hi,
I have started on introducing typed parameters instead of a Map of
objects as we have right now [1]. Basically I am trying to introduce a
dedicated class which will represent HTTP parameters [2]. This isn't
finished yet as I need to figure out how to handle pushing objects
onto parameters (ie. FileuploadInterceptor is pushing files [3]) - the
problem is that HTTP params are arrays of strings but we have used it
internally to "transport" other objects.
Any insights welcome :)
[1] https://github.com/apache/struts/pull/53
[2] https://github.com/apache/struts/pull/53/files#diff-12
[3] https://github.com/apache/struts/pull/53/files#diff-18
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
RE: Secure parameters
Posted by Martin Gainty <mg...@hotmail.com>.
> Date: Tue, 20 Oct 2015 15:56:20 -0600
> Subject: Re: Secure parameters
> From: ken.mcwilliams@gmail.com
> To: dev@struts.apache.org
>
> Might want to take a look at tiles-request (mico) framework.
MG>https://tiles.apache.org/tiles-request
MG>little or no mention of patterns, examples, source repo or mail-list to contact
MG>who is the lead on tiles-request?
MG>thanks ken
> On Oct 6, 2015 12:28 AM, "Lukasz Lenart" <lu...@apache.org> wrote:
>
> > Hi,
> >
> > I have started on introducing typed parameters instead of a Map of
> > objects as we have right now [1]. Basically I am trying to introduce a
> > dedicated class which will represent HTTP parameters [2]. This isn't
> > finished yet as I need to figure out how to handle pushing objects
> > onto parameters (ie. FileuploadInterceptor is pushing files [3]) - the
> > problem is that HTTP params are arrays of strings but we have used it
> > internally to "transport" other objects.
> >
> > Any insights welcome :)
> >
> > [1] https://github.com/apache/struts/pull/53
> > [2] https://github.com/apache/struts/pull/53/files#diff-12
> > [3] https://github.com/apache/struts/pull/53/files#diff-18
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
Re: Secure parameters
Posted by Lukasz Lenart <lu...@apache.org>.
Time to merge this branch :finger cross: ;-)
2016-06-02 14:07 GMT+02:00 Martin Gainty <mg...@hotmail.com>:
> Thanks Lukasz
> Martin
>
>> From: lukaszlenart@apache.org
>> Date: Wed, 1 Jun 2016 15:47:04 +0200
>> Subject: Re: Secure parameters
>> To: dev@struts.apache.org
>>
>> I'm going to merge this and then improve
>>
>> 2015-11-25 20:52 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
>> > Pushed the work forward and it looks like that now
>> > https://github.com/apache/struts/pull/58
>> >
>> > I think it's good enough but I open for there ideas :)
>> >
>> >
>> > Regards
>> > --
>> > Łukasz
>> > + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
RE: Secure parameters
Posted by Martin Gainty <mg...@hotmail.com>.
Thanks Lukasz
Martin
> From: lukaszlenart@apache.org
> Date: Wed, 1 Jun 2016 15:47:04 +0200
> Subject: Re: Secure parameters
> To: dev@struts.apache.org
>
> I'm going to merge this and then improve
>
> 2015-11-25 20:52 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
> > Pushed the work forward and it looks like that now
> > https://github.com/apache/struts/pull/58
> >
> > I think it's good enough but I open for there ideas :)
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
Re: Secure parameters
Posted by Lukasz Lenart <lu...@apache.org>.
I'm going to merge this and then improve
2015-11-25 20:52 GMT+01:00 Lukasz Lenart <lu...@apache.org>:
> Pushed the work forward and it looks like that now
> https://github.com/apache/struts/pull/58
>
> I think it's good enough but I open for there ideas :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Secure parameters
Posted by Lukasz Lenart <lu...@apache.org>.
Pushed the work forward and it looks like that now
https://github.com/apache/struts/pull/58
I think it's good enough but I open for there ideas :)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Secure parameters
Posted by Ken McWilliams <ke...@gmail.com>.
Might want to take a look at tiles-request (mico) framework.
On Oct 6, 2015 12:28 AM, "Lukasz Lenart" <lu...@apache.org> wrote:
> Hi,
>
> I have started on introducing typed parameters instead of a Map of
> objects as we have right now [1]. Basically I am trying to introduce a
> dedicated class which will represent HTTP parameters [2]. This isn't
> finished yet as I need to figure out how to handle pushing objects
> onto parameters (ie. FileuploadInterceptor is pushing files [3]) - the
> problem is that HTTP params are arrays of strings but we have used it
> internally to "transport" other objects.
>
> Any insights welcome :)
>
> [1] https://github.com/apache/struts/pull/53
> [2] https://github.com/apache/struts/pull/53/files#diff-12
> [3] https://github.com/apache/struts/pull/53/files#diff-18
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: Secure parameters
Posted by Paul Benedict <pb...@apache.org>.
I think the class name is very confusing. Can it just be StrutsParameters?
The "secure" thing I don't think is accurate.
On Oct 8, 2015 8:31 AM, "Christoph Nenning" <Ch...@lex-com.net>
wrote:
> > From: Lukasz Lenart <lu...@apache.org>
> > To: Struts Developers List <de...@struts.apache.org>,
> > Date: 06.10.2015 08:28
> > Subject: Secure parameters
> >
> > Hi,
> >
> > I have started on introducing typed parameters instead of a Map of
> > objects as we have right now [1]. Basically I am trying to introduce a
> > dedicated class which will represent HTTP parameters [2]. This isn't
> > finished yet as I need to figure out how to handle pushing objects
> > onto parameters (ie. FileuploadInterceptor is pushing files [3]) - the
> > problem is that HTTP params are arrays of strings but we have used it
> > internally to "transport" other objects.
> >
> > Any insights welcome :)
> >
> > [1] https://github.com/apache/struts/pull/53
> > [2] https://github.com/apache/struts/pull/53/files#diff-12
> > [3] https://github.com/apache/struts/pull/53/files#diff-18
> >
> >
>
>
> Basically I love the idea to have some more meta data about each
> parameter.
>
> I would expect new 'Parameter' interface would provide a method like
> 'isExternal()' or 'isUserProvided()' but maybe this is yet to come ;)
>
>
>
> > as I need to figure out how to handle pushing objects
> > onto parameters
>
> One way could be to add methods like these to 'Parameter':
>
> Object getValueNonString()
> Object[] getValuesNonString()
> boolean hasValueNonString()
>
>
> Most places dealing with parameters just need Strings. They can use
> methods 'getValue()' and 'getMultipleValue()' and don't need to cast.
> Those few places that need other types than Strings can use 'NonString'
> methods and have to cast on their own.
>
>
>
> Regards,
> Christoph
>
> This Email was scanned by Sophos Anti Virus
>
Re: Secure parameters
Posted by Christoph Nenning <Ch...@lex-com.net>.
> From: Lukasz Lenart <lu...@apache.org>
> To: Struts Developers List <de...@struts.apache.org>,
> Date: 06.10.2015 08:28
> Subject: Secure parameters
>
> Hi,
>
> I have started on introducing typed parameters instead of a Map of
> objects as we have right now [1]. Basically I am trying to introduce a
> dedicated class which will represent HTTP parameters [2]. This isn't
> finished yet as I need to figure out how to handle pushing objects
> onto parameters (ie. FileuploadInterceptor is pushing files [3]) - the
> problem is that HTTP params are arrays of strings but we have used it
> internally to "transport" other objects.
>
> Any insights welcome :)
>
> [1] https://github.com/apache/struts/pull/53
> [2] https://github.com/apache/struts/pull/53/files#diff-12
> [3] https://github.com/apache/struts/pull/53/files#diff-18
>
>
Basically I love the idea to have some more meta data about each
parameter.
I would expect new 'Parameter' interface would provide a method like
'isExternal()' or 'isUserProvided()' but maybe this is yet to come ;)
> as I need to figure out how to handle pushing objects
> onto parameters
One way could be to add methods like these to 'Parameter':
Object getValueNonString()
Object[] getValuesNonString()
boolean hasValueNonString()
Most places dealing with parameters just need Strings. They can use
methods 'getValue()' and 'getMultipleValue()' and don't need to cast.
Those few places that need other types than Strings can use 'NonString'
methods and have to cast on their own.
Regards,
Christoph
This Email was scanned by Sophos Anti Virus
Re: Secure parameters
Posted by Lukasz Lenart <lu...@apache.org>.
2015-10-06 15:59 GMT+02:00 Paul Benedict <pb...@apache.org>:
> Can you explain the "secure" aspect? I don't follow what this is trying to
> accomplish. This is not a criticism; just a question.
Right now "parameters" is a junk, bunch of values with unknown origins
- some are coming from Request, some from interceptors, and some from
actions. I want to name them, given them some identity to allow handle
them correctly. ie. Request params should never be evaluated (as
happens now when someone finds RCE vulnerability), but at the same
time, params from interceptors (internals) should be passed for
evaluation all the time.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Secure parameters
Posted by Paul Benedict <pb...@apache.org>.
Can you explain the "secure" aspect? I don't follow what this is trying to
accomplish. This is not a criticism; just a question.
Cheers,
Paul
On Tue, Oct 6, 2015 at 1:28 AM, Lukasz Lenart <lu...@apache.org>
wrote:
> Hi,
>
> I have started on introducing typed parameters instead of a Map of
> objects as we have right now [1]. Basically I am trying to introduce a
> dedicated class which will represent HTTP parameters [2]. This isn't
> finished yet as I need to figure out how to handle pushing objects
> onto parameters (ie. FileuploadInterceptor is pushing files [3]) - the
> problem is that HTTP params are arrays of strings but we have used it
> internally to "transport" other objects.
>
> Any insights welcome :)
>
> [1] https://github.com/apache/struts/pull/53
> [2] https://github.com/apache/struts/pull/53/files#diff-12
> [3] https://github.com/apache/struts/pull/53/files#diff-18
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>