Uploaded image for project: 'Struts 1'
  1. Struts 1
  2. STR-2347

[validator] enhance validator to be also able to validate request parameters/headers

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.2.4
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
      None
    • Environment:
      Operating System: All
      Platform: PC
    • Bugzilla Id:
      33268

      Description

      an important application programming security principle is to validate ALL
      inputs (owasp.org).
      request.getParameter() and request.getHeader(), getCookies(), getAttribute() may
      bring many more values into an application than the validator.xml is capable to
      validate.

      --------------------
      RFE: provide a way to also validate header/parameter/attribute fields
      (beyond the maxFileSize controller that hopfully is applied also to them)
      ----------------

      see also STR-1984 and STR-2332

      P.S.: One might say that using any of those methods above is "bypassing" the
      org.apache.struts.validator.ValidatorForm concept. If we want to avoid that
      wouldn't it be the right approach according to the information-hiding principle
      to remove the HttpServletRequest from the
      org.apache.struts.action.Action.execute() method signature?
      Probably, there would then be the need for a struts-controlled additional object
      allowing validated access to cookies, etc.?

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              hauser@acm.org Ralf Hauser
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: