struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <>
Subject [jira] Resolved: (WW-3537) XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/
Date Wed, 01 Dec 2010 22:06:12 GMT


Lukasz Lenart resolved WW-3537.

    Resolution: Fixed
      Assignee: Lukasz Lenart

Implemented DMI support in RestActionMapper, so it can be disabled by specifying

struts.enable.DynamicMethodInvocation = false

Probably in the next major release, DMI support will be removed and fully disabled!

Thanks for reporting!

> XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/
> ---------------------------------------------------------------------------------------------------
>                 Key: WW-3537
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - REST
>    Affects Versions: 2.2.1
>            Reporter: Stefan Magnus Landrø
>            Assignee: Lukasz Lenart
>             Fix For:
> I believe I've just found a major XSFR flaw in the REST plugin's RestActionMapper.
> See for more details
concerning XSRF.
> Manually performing a GET request on a create() method using the name!method convention,
the create() method actually gets invoked (btw, the model is also populated). 
> As far as I can see, ANY of the operations with side effects (create, update, destroy)
can be invoked this way (using a GET request)
> The code in RestActionMapper seems to totally ignore the HTTP-method used:
> // handle "name!method" convention.
> String name = mapping.getName();
> int exclamation = name.lastIndexOf("!");
> if (exclamation != -1) {
>     mapping.setName(name.substring(0, exclamation));
>     mapping.setMethod(name.substring(exclamation + 1));
> }
> Most other REST frameworks use annotations like @GET/@POST or similar mechanisms on the
controller methods in order to make sure that the correct method is used, otherwise yielding
a 400 BAD REQUEST or similar.
> Has this issue been addressed before?
> In the current state, I would not recommend using the REST plugin for production use.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message