-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Uwe,

On 12/20/11 9:07 AM, uwe.hellm...@t-systems.com wrote:
> It is a webformular.
> 
> The java code should this fragment.
> 
> final String username = req.getParameter("username"); String uParam
> = ""; if (StringUtils.isBlank(username) == false) { uParam =
> "&u=".concat(username); } 
> logonFilter.setLoginFailedUrl("/action?login_error=1".concat(uParam));

Ignoring
> 
the unnecessary concatenation when no parameter will be
added, and the unnecessary comparison against "false", this looks
fairly straightforward.

Note that you have an XSS vulnerability in the above code.

I notice that the "final String username" has different indentation.
Does that come from another part of the code?

I also notice that your URL from your original message is
"/login.action" but this URL above is simply "/action". Is that due to
inconsistent obfuscation of your code, or is this incorrect?

If you are using Struts 2 (judging from the ".action" you are), where
does the object that runs the above code go into the value stack?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7wzIMACgkQ9CaO5/Lv0PCmBACdEH5tqQ4vpxGmZvKSWOqidWi9
v4EAnA0YmO5gQivSzhL2oY8Ud9EEUkMN
=fFXq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to