-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Uwe,
On 12/20/11 9:07 AM, uwe.hellm...@t-systems.com wrote:
> It is a webformular.
>
> The java code should this fragment.
>
> final String username = req.getParameter("username"); String uParam
> = ""; if (StringUtils.isBlank(username) == false) { uParam =
> "&u=".concat(username); }
> logonFilter.setLoginFailedUrl("/action?login_error=1".concat(uParam));
Ignoring
>
the unnecessary concatenation when no parameter will be
added, and the unnecessary comparison against "false", this looks
fairly straightforward.
Note that you have an XSS vulnerability in the above code.
I notice that the "final String username" has different indentation.
Does that come from another part of the code?
I also notice that your URL from your original message is
"/login.action" but this URL above is simply "/action". Is that due to
inconsistent obfuscation of your code, or is this incorrect?
If you are using Struts 2 (judging from the ".action" you are), where
does the object that runs the above code go into the value stack?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7wzIMACgkQ9CaO5/Lv0PCmBACdEH5tqQ4vpxGmZvKSWOqidWi9
v4EAnA0YmO5gQivSzhL2oY8Ud9EEUkMN
=fFXq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
