I agree that in the current design a developer can never trust the request parameter.
I guess what I'm arguing for is the ability for a developer to decide that a parameter will always come from another jsp and never come from the URL. However, even in this scenario its possible that the original JSP could simply grab it from the URL and then pass it to the included JSP via this proposed "safe" parameter pass. In the end this is similar to all other input validation/encoding issues with user data. I thought I'd point it out since it was interesting and caught me by surprise at first. Thanks! Michael Coates OWASP On 9/15/10 12:52 PM, Mikolaj Rydzewski wrote: > Michael Coates wrote: >> It seems to me that the method used to request parameters from an >> included jsp file should not "fail over" to the URL if the jsp:include >> does not provide the parameter. >> > IMO that's incorrect assumption, that one can skip security > consideration when using JPS's in 'safe way' (because there're in > WEB-INF folder, in this case). It can be reused e.g. by include page > directive. > Developer should never trust any values passed via request parameter. > Period. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
