Security concern in the way to populate context

> Hi Patrick,
>
> I think a jira issue for this would be a good idea.
>
> Regards
> Scott
>
> HotWax Media
> http://www.hotwaxmedia.com
>
>
> On 25/11/2009, at 9:12 AM, Patrick Antivackis wrote:
>
>  Hello,
>> I discover that in the parameters map available in the context, get or
>> post
>> parameters can override session and application attributes.
>> The way to create the parameters map isthe following in
>> UtilHttp.getCombinedMap :
>>
>>       combinedMap.putAll(getServletContextMap(request, namesToSkip)); //
>> bottom level application attributes
>>       combinedMap.putAll(getSessionMap(request, namesToSkip));        //
>> session overrides application
>>       combinedMap.putAll(getParameterMap(request));                   //
>> parameters override session
>>       combinedMap.putAll(getAttributeMap(request));                   //
>> attributes trump them all
>>
>> I understand that session can override application attributes, but I dont
>> understand why Parameters can override them.
>>
>> For example if you try the following :
>>
>> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
>>
>> You will be surprised. This also mean, that whatever configuration you are
>> putting in the web.xml, can be overriden by get or post parameters.
>>
>> Do I miss something, or should I filled a JIRA ?
>> Thank you
>>
>
>