假设我有一个看起来像/ controller / action / UserID的路由接受POST.
然后假设有人POST到该URL,并将一个名为UserID的变量设置为其他内容.
我想弄清楚的是,是否有可能出现安全问题,其中一个值“偷偷溜过”我执行的权限检查.
最佳答案 参数源优先级的顺序由ValueProviderFactories.Factories集合确定,其中(默认情况下)POST-ed参数优先于模型绑定期间的路径数据.
因此,如果某人POST UserId = 666到您的控制器UserId中的/ controller / action / 777 url将为666.
本文的Value Providers部分概述了它的工作原理:
At run time, ASP.NET MVC uses the value providers registered in the
ValueProviderFactories class to evaluate request values that the model
binders can use.By default, the value provider collection evaluates values from the
various sources in the following order:
- Previously bound action parameters, when the action is a child
action- Form fields (
Request.Form)- The property values in the JSON
Request body (Request.InputStream), but only when the request is an
AJAX request- Route data (
RouteData.Values)- Querystring parameters
(Request.QueryString)- Posted files (
Request.Files)
