struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Magnus Landrø (JIRA) <>
Subject [jira] Created: (WW-3537) XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/
Date Wed, 01 Dec 2010 21:46:11 GMT
XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/

                 Key: WW-3537
             Project: Struts 2
          Issue Type: Bug
          Components: Plugin - REST
    Affects Versions: 2.2.1
            Reporter: Stefan Magnus Landrø
             Fix For:

I believe I've just found a major XSFR flaw in the REST plugin's RestActionMapper.

See for more details
concerning XSRF.

Manually performing a GET request on a create() method using the name!method convention, the
create() method actually gets invoked (btw, the model is also populated). 
As far as I can see, ANY of the operations with side effects (create, update, destroy) can
be invoked this way (using a GET request)

The code in RestActionMapper seems to totally ignore the HTTP-method used:

// handle "name!method" convention.
String name = mapping.getName();
int exclamation = name.lastIndexOf("!");

if (exclamation != -1) {
    mapping.setName(name.substring(0, exclamation));
    mapping.setMethod(name.substring(exclamation + 1));

Most other REST frameworks use annotations like @GET/@POST or similar mechanisms on the controller
methods in order to make sure that the correct method is used, otherwise yielding a 400 BAD
REQUEST or similar.

Has this issue been addressed before?

In the current state, I would not recommend using the REST plugin for production use.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message