[ https://issues.apache.org/struts/browse/STR-2347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_40552 ] 

Ralf Hauser commented on STR-2347:
----------------------------------

see also STR-1955,  	 STR-2332


> [validator] enhance validator to be also able to validate request parameters/headers
> ------------------------------------------------------------------------------------
>
>                 Key: STR-2347
>                 URL: https://issues.apache.org/struts/browse/STR-2347
>             Project: Struts 1
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.2.4
>         Environment: Operating System: All
> Platform: PC
>            Reporter: Ralf Hauser
>         Assigned To: Struts Developers
>            Priority: Minor
>
> an important application programming security principle is to validate ALL
> inputs (owasp.org). 
> request.getParameter() and request.getHeader(), getCookies(), getAttribute() may
> bring many more values into an application than the validator.xml is capable to
> validate.
> --------------------
> RFE: provide a way to also validate header/parameter/attribute fields 
> (beyond the maxFileSize controller that hopfully is applied also to them)
> ----------------
> see also STR-1984 and STR-2332
> P.S.: One might say that using any of those methods above is "bypassing" the
> org.apache.struts.validator.ValidatorForm concept. If we want to avoid that
> wouldn't it be the right approach according to the information-hiding principle
> to remove the HttpServletRequest from the
> org.apache.struts.action.Action.execute() method signature?
> Probably, there would then be the need for a struts-controlled additional object
> allowing validated access to cookies, etc.?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.