Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
1.2.4
-
None
-
None
-
Operating System: All
Platform: PC
-
33268
Description
an important application programming security principle is to validate ALL
inputs (owasp.org).
request.getParameter() and request.getHeader(), getCookies(), getAttribute() may
bring many more values into an application than the validator.xml is capable to
validate.
--------------------
RFE: provide a way to also validate header/parameter/attribute fields
(beyond the maxFileSize controller that hopfully is applied also to them)
----------------
see also STR-1984 and STR-2332
P.S.: One might say that using any of those methods above is "bypassing" the
org.apache.struts.validator.ValidatorForm concept. If we want to avoid that
wouldn't it be the right approach according to the information-hiding principle
to remove the HttpServletRequest from the
org.apache.struts.action.Action.execute() method signature?
Probably, there would then be the need for a struts-controlled additional object
allowing validated access to cookies, etc.?