struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Magnus Landrø (JIRA) <j...@apache.org>
Subject [jira] Created: (WW-3537) XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java
Date Wed, 01 Dec 2010 21:46:11 GMT
XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java
---------------------------------------------------------------------------------------------------

                 Key: WW-3537
                 URL: https://issues.apache.org/jira/browse/WW-3537
             Project: Struts 2
          Issue Type: Bug
          Components: Plugin - REST
    Affects Versions: 2.2.1
            Reporter: Stefan Magnus Landrø
             Fix For: 2.2.1.1


I believe I've just found a major XSFR flaw in the REST plugin's RestActionMapper.

See http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 for more details
concerning XSRF.


Manually performing a GET request on a create() method using the name!method convention, the
create() method actually gets invoked (btw, the model is also populated). 
As far as I can see, ANY of the operations with side effects (create, update, destroy) can
be invoked this way (using a GET request)


The code in RestActionMapper seems to totally ignore the HTTP-method used:

// handle "name!method" convention.
String name = mapping.getName();
int exclamation = name.lastIndexOf("!");

if (exclamation != -1) {
    mapping.setName(name.substring(0, exclamation));
    mapping.setMethod(name.substring(exclamation + 1));
}

Most other REST frameworks use annotations like @GET/@POST or similar mechanisms on the controller
methods in order to make sure that the correct method is used, otherwise yielding a 400 BAD
REQUEST or similar.

Has this issue been addressed before?

In the current state, I would not recommend using the REST plugin for production use.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message