Affects Version/s: 1.2.4
Fix Version/s: None
Environment:Operating System: All
an important application programming security principle is to validate ALL
request.getParameter() and request.getHeader(), getCookies(), getAttribute() may
bring many more values into an application than the validator.xml is capable to
RFE: provide a way to also validate header/parameter/attribute fields
(beyond the maxFileSize controller that hopfully is applied also to them)
P.S.: One might say that using any of those methods above is "bypassing" the
org.apache.struts.validator.ValidatorForm concept. If we want to avoid that
wouldn't it be the right approach according to the information-hiding principle
to remove the HttpServletRequest from the
org.apache.struts.action.Action.execute() method signature?
Probably, there would then be the need for a struts-controlled additional object
allowing validated access to cookies, etc.?