CWE-102 Structs:重复验证表单

Struts: Duplicate Validation Forms

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown


The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.


If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.


  • cwe_Nature: ChildOf cwe_CWE_ID: 694 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 1173 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 700 cwe_Ordinal: Primary


Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
Integrity Unexpected State




The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files.


Two validation forms with the same name.

bad XML

<form name="ProjectForm"> ... </form>
<form name="ProjectForm"> ... </form>

It is critically important that validation logic be maintained and kept in sync with the rest of the application.


映射的分类名 ImNode ID Fit Mapped Node Name
7 Pernicious Kingdoms Struts: Duplicate Validation Forms
Software Fault Patterns SFP24 Tainted input to command