CWE-608: Struts: Non-private Field in ActionForm Class

Description

An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.

Submission Date :

May 7, 2007, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Example Vulnerable Codes

Example - 1

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for a online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.



super();
// variables for registration formpublic String name;public String email;...public RegistrationForm() {}public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}...public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {}

However, within the RegistrationForm the member variables for the registration form input data are declared public not private. All member variables within a Struts framework ActionForm class must be declared private to prevent the member variables from being modified without using the getter and setter methods. The following example shows the member variables being declared private and getter and setter methods declared for accessing the member variables.



super();
// private variables for registration formprivate String name;private String email;...public RegistrationForm() {}public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}

// getter and setter methods for private variables...public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {}

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 25, 2024 2:35