click
 › 
click-user

Click form.copyTo() and security

2 Messages Forum Options Options
Embed this topic
Permalink
casperjeff
Click form.copyTo() and security
Reply Threaded MoreMore options
Print post
Permalink
We reading about the Spring 'security vulnerability' today (http://www.theserverside.com/news/thread.tss?thread_id=50076)  and thought a little bit about my own code that uses the Click framework...

Often times I will do a form.copyTo(object)....without thinking about it too much....

What will click do if I post an extra parameter (nefariously) that is not in the actual html form but matches up to a bean/model object that I copy into? (it's not in the 'form' object at all).

I would assume because the form (from AbstractContainer) is represented as a list of controls....an extra passed parameter would never be propagated.

Is that correct?

What about if a form contains a hiddenField which maps to a bean/model field that theoretically should not be modifiable by the user?

This isn't an issue for me personally as I validate user access to elements in my service level before performing selects or updates based on user-entered data...but might be an issue for others.






sabob
Re: Click form.copyTo() and security
Reply Threaded MoreMore options
Print post
Permalink
Interesting read.

Since Click provides a higher abstraction than action based
frameworks, the request parameters are copied to Fields not domain
objects. The Fields almost acts as a DTO of sorts. As you pointed out
only the Fields created by the developer will be bounded. Thus fields
created dynamically in the browser won't effect the domain.

However if you have a HiddenField (or any other field for that matter)
that should not be modified by the user then you need to be careful.
And of course its easy to say not to expose sensitive data. :)

One solution is to write a SecureHiddenField which encrypts its value.
Then once the form is submitted, check that the value was not tampered
with.

kind regards

bob

casperjeff wrote:

> We reading about the Spring 'security vulnerability' today
> (http://www.theserverside.com/news/thread.tss?thread_id=50076)  and thought
> a little bit about my own code that uses the Click framework...
>
> Often times I will do a form.copyTo(object)....without thinking about it too
> much....
>
> What will click do if I post an extra parameter (nefariously) that is not in
> the actual html form but matches up to a bean/model object that I copy into?
> (it's not in the 'form' object at all).
>
> I would assume because the form (from AbstractContainer) is represented as a
> list of controls....an extra passed parameter would never be propagated.
>
> Is that correct?
>
> What about if a form contains a hiddenField which maps to a bean/model field
> that theoretically should not be modifiable by the user?
>
> This isn't an issue for me personally as I validate user access to elements
> in my service level before performing selects or updates based on
> user-entered data...but might be an issue for others.
>
>
>
>
>
>
>


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Click-user mailing list
Click-user@...
https://lists.sourceforge.net/lists/listinfo/click-user
Free Forum Powered by Nabble Forum Help