You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by hu...@apache.org on 2001/11/21 14:29:31 UTC
cvs commit: jakarta-struts/src/share/org/apache/struts/action ActionServletWrapper.java ActionForm.java
husted 01/11/21 05:29:31
Modified: src/share/org/apache/struts/action Tag: STRUTS_1_0_BRANCH
ActionForm.java
Added: src/share/org/apache/struts/action Tag: STRUTS_1_0_BRANCH
ActionServletWrapper.java
Log:
Add ActionServletWrapper and modify ActionForm to address issue #4997 - autopopulation exploit.
This change prevents the Public String properties of ActionServlet from being changed via a query string.
Revision Changes Path
No revision
No revision
1.7.2.2 +29 -18 jakarta-struts/src/share/org/apache/struts/action/ActionForm.java
Index: ActionForm.java
===================================================================
RCS file: /home/cvs/jakarta-struts/src/share/org/apache/struts/action/ActionForm.java,v
retrieving revision 1.7.2.1
retrieving revision 1.7.2.2
diff -u -r1.7.2.1 -r1.7.2.2
--- ActionForm.java 2001/06/13 22:14:26 1.7.2.1
+++ ActionForm.java 2001/11/21 13:29:31 1.7.2.2
@@ -1,13 +1,13 @@
/*
- * $Header: /home/cvs/jakarta-struts/src/share/org/apache/struts/action/ActionForm.java,v 1.7.2.1 2001/06/13 22:14:26 craigmcc Exp $
- * $Revision: 1.7.2.1 $
- * $Date: 2001/06/13 22:14:26 $
+ * $Header: /home/cvs/jakarta-struts/src/share/org/apache/struts/action/ActionForm.java,v 1.7.2.2 2001/11/21 13:29:31 husted Exp $
+ * $Revision: 1.7.2.2 $
+ * $Date: 2001/11/21 13:29:31 $
*
* ====================================================================
- *
+ *
* The Apache Software License, Version 1.1
*
- * Copyright (c) 1999-2001 The Apache Software Foundation. All rights
+ * Copyright (c) 1999-2001 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -15,7 +15,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -23,15 +23,15 @@
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
- * any, must include the following acknowlegement:
- * "This product includes software developed by the
+ * any, must include the following acknowlegement:
+ * "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Struts", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
- * from this software without prior written permission. For written
+ * from this software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache"
@@ -57,7 +57,7 @@
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
- */
+ */
package org.apache.struts.action;
@@ -94,7 +94,8 @@
* </p>
*
* @author Craig R. McClanahan
- * @version $Revision: 1.7.2.1 $ $Date: 2001/06/13 22:14:26 $
+ * @author Ted Husted
+ * @version $Revision: 1.7.2.2 $ $Date: 2001/11/21 13:29:31 $
*/
public abstract class ActionForm implements Serializable {
@@ -107,8 +108,8 @@
* The controller servlet instance to which we are attached.
*/
protected transient ActionServlet servlet = null;
-
-
+
+
/**
* The MultipartRequestHandler for this form, can be
* <code>null</code>
@@ -122,14 +123,24 @@
/**
* Return the controller servlet instance to which we are attached.
*/
- public ActionServlet getServlet() {
+ protected ActionServlet getServlet() {
return (this.servlet);
}
-
-
+
+
/**
+ * Return the controller servlet instance to which we are attached.
+ */
+ public ActionServletWrapper getServletWrapper() {
+
+ return new ActionServletWrapper(getServlet());
+
+ }
+
+
+ /**
* Return the MultipartRequestHandler for this form
* The reasoning behind this is to give form bean developers
* control over the lifecycle of their multipart requests
@@ -139,7 +150,7 @@
* "multipart/request-data".
* @see org.apache.struts.upload.MultipartRequestHandler
*/
- public MultipartRequestHandler getMultipartRequestHandler() {
+ protected MultipartRequestHandler getMultipartRequestHandler() {
return multipartRequestHandler;
}
@@ -156,8 +167,8 @@
this.servlet = servlet;
}
+
-
public void setMultipartRequestHandler(MultipartRequestHandler multipartRequestHandler) {
this.multipartRequestHandler = multipartRequestHandler;
}
No revision
No revision
1.1.2.1 +140 -0 jakarta-struts/src/share/org/apache/struts/action/Attic/ActionServletWrapper.java
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>