• Post Reply Bookmark Topic Watch Topic
  • New Topic

Letting the request object escape?  RSS feed

 
Ryan McClain
Ranch Hand
Posts: 153
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It is stated that request objects are thread-safe.

However, is it possible that someone would write malicious code that obtains the request object, creates a new reference to it/copies it (its content), modifies that reference/copy and passes that to a JSP/Servlet instead of the original request?
I'm not sure - just speculating.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66144
144
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you talking about "man in the middle attacks"? Or someone walking up to your server, logging in with privs, and altering the code?

If the latter, install better locks. If the former, using SSL is one of the major protection means.

Not sure what any of this has to do with thread safety.
 
Ryan McClain
Ranch Hand
Posts: 153
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am talking about just the developer himself - the owner of the code - writing aforementioned (unsafe) code.
I was thinking: if a Servlet has a reference to the request object, could that request object be modified and forwarded to the RequestDispatcher instead of the original request?
So I am wondering if it is possible to mutate (the reference to) the original request in a way that yes - it would look like a man in the middle attack.

Regarding thread safety: the request object never escapes scope (I assume), unless someone would grab it and throw it into another scope so that other threads of other servlets could mess around with that request. Not sure.
Something like:
- get request object
- modify it
- set it as a context/session attribute elsewhere
- other threads modify it


 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66144
144
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ryan McClain wrote:I am talking about just the developer himself - the owner of the code - writing aforementioned (unsafe) code.

The HttpServletRequest class doesn't have a whole lot of ways that it can be changed. Note that there are no setter type methods that alter the request. (setAttribute() adds to the scope, not the request instance itself.)

Why the odd question? It's kinda weird to treat your own code as a hack. Just write good code.


it would look like a man in the middle attack.

Umm not really.

unless someone would grab it and throw it into another scope so that other threads of other servlets could mess around with that request.

Modify it how? But yes, passing requests and other container resources between threads is a great way to boof things up. Though the result is likely to be weird exceptions rather than anything destructive.

I think you're tilting at windmills here.
 
Amit Ghorpade
Bartender
Posts: 2856
10
Fedora Firefox Browser Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<nitpicking>
A developer creating undesirable/malicious functionality is not termed as attack. It would be a vulnerability or a loop-hole which can be exploited to create an attack.
</nitpicking>
 
Ivan Jozsef Balazs
Rancher
Posts: 999
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:
The HttpServletRequest class doesn't have a whole lot of ways that it can be changed. Note that there are no setter type methods that alter the request.


If there is a need to "hack aorund" with the HttpServletRequest (like from say a Filter) there is this class:
HttpServletRequestWrapper

I once wrote a wrapper using this class so that it was possible to set pseudo-request params in a filter before a servlet further down in the chain saw the request.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66144
144
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, wrappers are frequently used around the response in a filter. But I'm still kind of confounded on what sort of maliciousness the OP is intending.
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!