DWR

Ensure that DWR checks that the return type of a method is convertable *before* it is executed.

Details

  • Type: Task Task
  • Status: Reopened Reopened
  • Priority: Minor Minor
  • Resolution: Unresolved
  • Affects Version/s: None
  • Fix Version/s: 4.0
  • Component/s: Security
  • Description:
    While we wouldn't leak data, we might execute something that perhaps we shouldn't

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
David Marginian added a comment - 31/Mar/09 2:17 PM

This can be fixed easily in BaseCallHandler.marshallInbound() via:

// If a converter is not specified for the Return type than we need to set a MarshalException on the call and
// ensure that this call is not executed per JIRA DWR-322.
Class<?> returnType = method.getReturnType();
if (null != returnType && !converterManager.isConvertable(returnType))

{ call.setMarshallFailure(new ConversionException(returnType, "A converter has not been specified for the return type of " + method.getName() + " method cannot be executed.")); }

However, I am not sure this is the best place for it. Thoughts?

Show
David Marginian added a comment - 31/Mar/09 2:17 PM This can be fixed easily in BaseCallHandler.marshallInbound() via: // If a converter is not specified for the Return type than we need to set a MarshalException on the call and // ensure that this call is not executed per JIRA DWR-322. Class<?> returnType = method.getReturnType(); if (null != returnType && !converterManager.isConvertable(returnType)) { call.setMarshallFailure(new ConversionException(returnType, "A converter has not been specified for the return type of " + method.getName() + " method cannot be executed.")); } However, I am not sure this is the best place for it. Thoughts?
Hide
Permalink
David Marginian added a comment - 31/Mar/09 4:23 PM

I tested the proposed fix. After further examination of the code it appears this is the best place to add this logic.

Show
David Marginian added a comment - 31/Mar/09 4:23 PM I tested the proposed fix. After further examination of the code it appears this is the best place to add this logic.
Hide
Permalink
David Marginian added a comment - 01/Apr/09 2:51 AM

I need to re-think this proposed solution only works for concrete types.

Show
David Marginian added a comment - 01/Apr/09 2:51 AM I need to re-think this proposed solution only works for concrete types.
Hide
Permalink
David Marginian added a comment - 01/Apr/09 9:45 AM

Joe, do you have any proposals on how this could work? Should we only do this for concrete formal parameters and skip the check otherwise. For non concrete formal parameters we have to execute the method to get the type information - no way around that.

Show
David Marginian added a comment - 01/Apr/09 9:45 AM Joe, do you have any proposals on how this could work? Should we only do this for concrete formal parameters and skip the check otherwise. For non concrete formal parameters we have to execute the method to get the type information - no way around that.

People

Dates

  • Created:
    13/Dec/08 7:49 PM
    Updated:
    15/Jul/11 5:07 AM
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for DWR. Try JIRA - bug tracking software for your team.