You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Lukasz Lenart (JIRA)" <ji...@apache.org> on 2010/12/01 23:06:12 UTC

[jira] Resolved: (WW-3537) XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java

     [ https://issues.apache.org/jira/browse/WW-3537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart resolved WW-3537.
-------------------------------

    Resolution: Fixed
      Assignee: Lukasz Lenart

Implemented DMI support in RestActionMapper, so it can be disabled by specifying

struts.enable.DynamicMethodInvocation = false

Probably in the next major release, DMI support will be removed and fully disabled!

Thanks for reporting!

> XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java
> ---------------------------------------------------------------------------------------------------
>
>                 Key: WW-3537
>                 URL: https://issues.apache.org/jira/browse/WW-3537
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - REST
>    Affects Versions: 2.2.1
>            Reporter: Stefan Magnus Landrø
>            Assignee: Lukasz Lenart
>             Fix For: 2.2.1.1
>
>
> I believe I've just found a major XSFR flaw in the REST plugin's RestActionMapper.
> See http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 for more details concerning XSRF.
> Manually performing a GET request on a create() method using the name!method convention, the create() method actually gets invoked (btw, the model is also populated). 
> As far as I can see, ANY of the operations with side effects (create, update, destroy) can be invoked this way (using a GET request)
> The code in RestActionMapper seems to totally ignore the HTTP-method used:
> // handle "name!method" convention.
> String name = mapping.getName();
> int exclamation = name.lastIndexOf("!");
> if (exclamation != -1) {
>     mapping.setName(name.substring(0, exclamation));
>     mapping.setMethod(name.substring(exclamation + 1));
> }
> Most other REST frameworks use annotations like @GET/@POST or similar mechanisms on the controller methods in order to make sure that the correct method is used, otherwise yielding a 400 BAD REQUEST or similar.
> Has this issue been addressed before?
> In the current state, I would not recommend using the REST plugin for production use.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.