struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Garcia" <jogaco...@gmail.com>
Subject Re: data injection attack
Date Wed, 04 Jul 2012 14:22:34 GMT
Implementing the ParameterNameAware interface with white/black list seems
the best solution.
Thanks,
J.

On Wed, Jul 4, 2012 at 3:51 PM, Dave Newton <davelnewton@gmail.com> wrote:

> Then whitelist/blacklist.
>
> Or don't expose sensitive data directly to the user.
>
> Dave
>
> (pardon brevity, typos, and top-quoting; on cell)
> On Jul 4, 2012 8:49 AM, "J. Garcia" <jogaco.en@gmail.com> wrote:
>
> > My action would have:
> >
> > public void setMyBean( MyBean myBean) {...}
> >
> > and I would like to avoid an injection on myBean.field3. This field could
> > be the owner id for instance!
> >
> > On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
> > <lukasz.lenart@googlemail.com>wrote:
> >
> > > Another way is to use AnnotationParameterFilterIntereptor (name
> > > contains typo) and @Allowed and @Blocked annotations
> > >
> > >
> > > Regards
> > > --
> > > Łukasz
> > > mobile +48 606 323 122 http://www.lenart.org.pl/
> > > Warszawa JUG conference - Confitura http://confitura.pl/
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > > For additional commands, e-mail: user-help@struts.apache.org
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message