Mike-
check to make sure your <jsp:param has an end tag e.g.<jsp:include
page="mycommon.jsp" >
<jsp:param name="extraparam" value="myvalue" />
</jsp:include>
if the browser doesnt see it the end tag the browser throws away the whole tag
and uses the default assignment
(which comes from the jsp:include page=)
Martin--
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
> Date: Wed, 15 Sep 2010 13:18:39 -0700
> From: michael.coa...@owasp.org
> To: users@tomcat.apache.org
> Subject: Re: JSP:includes parameter passing vulnerability
>
> I agree that in the current design a developer can never trust the
> request parameter.
>
> I guess what I'm arguing for is the ability for a developer to decide
> that a parameter will always come from another jsp and never come from
> the URL. However, even in this scenario its possible that the original
> JSP could simply grab it from the URL and then pass it to the included
> JSP via this proposed "safe" parameter pass.
>
> In the end this is similar to all other input validation/encoding issues
> with user data. I thought I'd point it out since it was interesting and
> caught me by surprise at first.
>
> Thanks!
>
> Michael Coates
>
> OWASP
>
>
> On 9/15/10 12:52 PM, Mikolaj Rydzewski wrote:
> > Michael Coates wrote:
> >> It seems to me that the method used to request parameters from an
> >> included jsp file should not "fail over" to the URL if the jsp:include
> >> does not provide the parameter.
> >>
> > IMO that's incorrect assumption, that one can skip security
> > consideration when using JPS's in 'safe way' (because there're in
> > WEB-INF folder, in this case). It can be reused e.g. by include page
> > directive.
> > Developer should never trust any values passed via request parameter.
> > Period.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
