You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Steve Sether <ss...@usenergyservices.com> on 2008/04/28 18:37:31 UTC
Re: [struts] params and staticParams
I can't seem to find any indication where this ever wound up from
several months ago, but I found the same issue independently after
making the (poor) assumption that a statically assigned parameter
wouldn't be overridden by a request parameter. I did some searching and
found this thread.
Like Dale, I've made the same fix in my default interceptor stack and
fixed this.
To me, this is a potential security issue. It's very handy to define a
parameter passed into the action via the action configuration. It's
easy to make the assumption that these parameters can't be overwritten
by the user. It seems to me the framework should by default be
configured with security in mind.
So, can anyone tell me where this wound up? I'd just like to add my
voice requesting the default order be changed.
Dale Newfield wrote:
> Dale Newfield wrote:
>> Jeromy Evans wrote:
>>>> Wouldn't it be the case for most people that specify params in the
>>>> action definition that they wouldn't want those overridden by
>>>> request params?
>>> I don't know the history but I think you make a good point.
>>
>> It a couple more people agree I'll create a JIRA issue and post a patch.
>
> Clearly that should have started "If a couple..."
>
> -Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org