Re: [struts] params and staticParams

[Steve Sether <ss...@usenergyservices.com>]

I can't seem to find any indication where this ever wound up from 
several months ago, but I found the same issue independently after 
making the (poor) assumption that a statically assigned parameter 
wouldn't be overridden by a request parameter.  I did some searching and 
found this thread.

Like Dale, I've made the same fix in my default interceptor stack and 
fixed this.

To me, this is a potential security issue.  It's very handy to define a 
parameter passed into the action via the action configuration.  It's 
easy to make the assumption that these parameters can't be overwritten 
by the user.  It seems to me the framework should by default be 
configured with security in mind.

So, can anyone tell me where this wound up?  I'd just like to add my 
voice requesting the default order be changed.

Dale Newfield wrote:
> Dale Newfield wrote:
>> Jeromy Evans wrote:
>>>> Wouldn't it be the case for most people that specify params in the 
>>>> action definition that they wouldn't want those overridden by
>>>> request params?
>>> I don't know the history but I think you make a good point.
>>
>> It a couple more people agree I'll create a JIRA issue and post a patch.
> 
> Clearly that should have started "If a couple..."
> 
> -Dale
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org