Uploaded image for project: 'Struts 1'
  1. Struts 1
  2. STR-2347

[validator] enhance validator to be also able to validate request parameters/headers

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 1.2.4
    • None
    • Core
    • None
    • Operating System: All
      Platform: PC
    • 33268

    Description

      an important application programming security principle is to validate ALL
      inputs (owasp.org).
      request.getParameter() and request.getHeader(), getCookies(), getAttribute() may
      bring many more values into an application than the validator.xml is capable to
      validate.

      --------------------
      RFE: provide a way to also validate header/parameter/attribute fields
      (beyond the maxFileSize controller that hopfully is applied also to them)
      ----------------

      see also STR-1984 and STR-2332

      P.S.: One might say that using any of those methods above is "bypassing" the
      org.apache.struts.validator.ValidatorForm concept. If we want to avoid that
      wouldn't it be the right approach according to the information-hiding principle
      to remove the HttpServletRequest from the
      org.apache.struts.action.Action.execute() method signature?
      Probably, there would then be the need for a struts-controlled additional object
      allowing validated access to cookies, etc.?

      Attachments

        Activity

          People

            Unassigned Unassigned
            hauser@acm.org Ralf Hauser
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: