I'd like to know if this is considered a security hole to other people besides
me. I saved an
email off this group back in July and finally went back to investigate it:
It seems that every action in Struts is cancellable, which means for Struts
actions that do not
religiously check for isCancelled(), a hacker can bypass validation simply by
passing in the
cancel key ("org.apache.struts.action.CANCEL"). This seems entirely possible
through Jakarta
HttpClient, or just modifying the URL when possible.
So, in my opinion, it doesn't seem like data from the form is every truely
reliable without the
isCancelled() check.
I propose the Controller address this somehow. Maybe by using <set-property>
there can be an
attribute set at the action to allow validation to be legitimately skipped or
make this
configurable at the <controller> level.
Any ideas?
Paul
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
