From issues-return-4454-apmail-struts-issues-archive=struts.apache.org@struts.apache.org Wed Mar 14 13:03:18 2007 Return-Path: Delivered-To: apmail-struts-issues-archive@locus.apache.org Received: (qmail 16496 invoked from network); 14 Mar 2007 13:03:17 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 14 Mar 2007 13:03:17 -0000 Received: (qmail 27733 invoked by uid 500); 14 Mar 2007 13:03:20 -0000 Delivered-To: apmail-struts-issues-archive@struts.apache.org Received: (qmail 27684 invoked by uid 500); 14 Mar 2007 13:03:20 -0000 Mailing-List: contact issues-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list issues@struts.apache.org Received: (qmail 27654 invoked by uid 99); 14 Mar 2007 13:03:20 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Mar 2007 06:03:20 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Mar 2007 06:03:11 -0700 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 7DBBB714048 for ; Wed, 14 Mar 2007 06:02:51 -0700 (PDT) Message-ID: <30553005.1173877371511.JavaMail.jira@brutus> Date: Wed, 14 Mar 2007 06:02:51 -0700 (PDT) From: "Ralf Hauser (JIRA)" To: issues@struts.apache.org Subject: [jira] Commented: (STR-2347) [validator] enhance validator to be also able to validate request parameters/headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/struts/browse/STR-2347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_40552 ] Ralf Hauser commented on STR-2347: ---------------------------------- see also STR-1955, STR-2332 > [validator] enhance validator to be also able to validate request parameters/headers > ------------------------------------------------------------------------------------ > > Key: STR-2347 > URL: https://issues.apache.org/struts/browse/STR-2347 > Project: Struts 1 > Issue Type: Improvement > Components: Core > Affects Versions: 1.2.4 > Environment: Operating System: All > Platform: PC > Reporter: Ralf Hauser > Assigned To: Struts Developers > Priority: Minor > > an important application programming security principle is to validate ALL > inputs (owasp.org). > request.getParameter() and request.getHeader(), getCookies(), getAttribute() may > bring many more values into an application than the validator.xml is capable to > validate. > -------------------- > RFE: provide a way to also validate header/parameter/attribute fields > (beyond the maxFileSize controller that hopfully is applied also to them) > ---------------- > see also STR-1984 and STR-2332 > P.S.: One might say that using any of those methods above is "bypassing" the > org.apache.struts.validator.ValidatorForm concept. If we want to avoid that > wouldn't it be the right approach according to the information-hiding principle > to remove the HttpServletRequest from the > org.apache.struts.action.Action.execute() method signature? > Probably, there would then be the need for a struts-controlled additional object > allowing validated access to cookies, etc.? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.