Skip to main content

Spring Security Advisory

Many people consider this is not new. But there is a security advisory out for spring users.

http://www.springsource.com/securityadvisory

Quote:
For applications that bind request data to presentation-layer "form models", this is unlikely to be a problem since there is a one-to-one correspondence between a form backing object and a set of allowed request parameters. This issue is only relevant for applications that bind directly to a domain model which exposes properties that should not be updated by the client.

To understand it more clearly, look at an Example:
http://www.celerity.nl/blog/2008/04/security-implications-of-the-spring-databinder/

This is however an advanced usecase. If you are directly binding model to form objects you have a major design issue.

If you observe carefully, There is another case that we dont often remember. Most Web apps have CRUD jsps and the Update jsp will generally include the id of the model that is being edited. Most times, The only security is that edit url is protected. But still, if a malicious user logged in, he can manually edit the attributes to update the model, EVEN IF it DOESNOT belong to him. say a CreditCard / Address Object in db.

So What is the solution? When you have user secure model. keep the user info (acct # or user id) at the time of *login* in session. And use that for each call that you update The CreditCard or Address.

Bottom line is, if a sensitive data is being Cruded, not only does the user needs to be authed, each request needs to be re-validated for ownership in some way.

Popular posts from this blog

Javascript: Convert Strings to Binary (and representing in a nerdy way!)

I follow those GoogleDevelopers Videos . Sometime back, in one of the presentations on GoogleIO, there was this interesting string of dots at the bottom of each page of the presentation . They looked like random big and small dots. A similar bunch of dots were also on the T-shirt of a presenter was wearing in another presentation . While it seemed something in the pattern, I could not find what it was. Finally, another presenter cleared the matter that those dots are just binary representation of "GOOGLEIO" (So much for advertizing Google IO, Impressive!). So I wanna do it. Takes me back to days of those DSP classes at school. Nerdy me had to churn some old brain cells. I remember those first programming language classes in Pascal and C when you were asked to do fibonacci series and converting a binary string to ascii codes. That *experience* came handy here: Check it out! Text to Binarize: For those who came to copy the javascript code to convert string to binary,

MySql Copying Table Structures.

Some times you need to copy only table structures across databases. This article describes two ways of doing it. If the whole database schema need to be exported, mysqldump is very effective. A --nodata flag will dump all tables' schema. Like this. mysqldump --nodata -p -u username databaseName But if you want to copy a specific table, individually, you could use "create table like" feature. You could create it even from a different database. However it must be on the same mysqld instance. Like this. create table newtable like oldtable; --Or from a table in other database create table mytable like otherdatabase.tablename;

javascript maxlength for textarea with \r\n breaks in java (esp Firefox)

Textareas allow new lines to enter. These are represented by \n (1) or \r\n (2) characters. But when you save to DB you have a limit to certain length of chars. There is no maxlength attribute in HTML that will stop you from entering data. This is generally acomplished by Javascript. You do a onkeyup hook and stop event or trim after textarea.value.length > maxlength. There are many other solutions out there.. But.. Here is the problem that most of those solutions overlook, How do you deal with the count on \n and \r\n representations. Lets first see how it matters. If the text entered has new lines, the length is calculated differently in Firefox and IE. When you enter a Text like 01234 567890 You expect the textarea.value.length to be 11. (10 chars + new line).On the backend, however, java would recieve it as 12 chars (10 chars + \r\n) (this is irrespective of FF or IE). So you are effectively saving 12 chars to DB. Worse yet, IE seems to figure textarea.value.length as 12 (