struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Relph" <relp...@gmail.com>
Subject Re: action security
Date Thu, 28 Feb 2008 16:54:21 GMT
Here is a better example of what i am concerned about ...

I send emails in my application, and i use spring to configure a
JavaMailSender - this has a getter/setter for the"from" email address ... as
well, i use a singleton bean for this object (this is the spring default
nowadays), so a malicious user could send in a form parameter for
mailSender.fromEmail, and then every email that my application sends would
be from whatever string the submitted ...

I am implementing the ParameterNameAware interface in struts 2.0.11, and am
checking doing parameterName.startsWith("mailSender") ? false : true;  --
this is returning false, however, the value is still being set on my object,
am i doing something wrong here?


On Thu, Feb 28, 2008 at 10:35 AM, Dave Newton <newton.dave@yahoo.com> wrote:

> --- Brian Relph <relphie@gmail.com> wrote:
> > So i guess this is a legitimate security concern.  Is there a
> > cleaner way to do this?  Is there annotations support for it?
>
> Not that I'm aware of.
>
> Note that setting a DAO-style class with a string would most likely end in
> an
> exception.
>
> Dave
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
Brian

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message