struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Husted" <hus...@apache.org>
Subject Re: [s2] Action ! Method syntax (was Freemarker transform name)
Date Mon, 21 Aug 2006 23:51:01 GMT
On 8/21/06, Patrick Lightbody <forum-struts-dev@opensymphony.com> wrote:
> OK, that all sounds good. My only request would be then: can we un-deprecate the !
>syntax and keep it on (by default), while still giving the option to
turn it off and perhaps set
> up a "Security conscience" page on the wiki that catalogs all these switches?

I'd rather not get into the habit of treating security as an option
that people can enable as an afterthought :)

I'm fine with tabling the notion of deprecation for now, but people
who want to use this syntax should have to make that choice by adding
the "" switch to the struts.properties file.

The key reason it is a security issue is because people don' t think
about the consequences of a client being able to call any no-argument
public method on any object that is serving as an Action, including
all the super classes of that object. Since Actions can be POJOs now,
it's very important that we lock these issues down, and open up the
functionality only when someone makes that choice.

Since teams migrating from WebWork will have to make other changes,
this is the ideal time to introduce the switch, so that it just one
other thing to do.

-Ted.



>
> > On 8/21/06, Patrick Lightbody
> > <forum-struts-dev@opensymphony.com> wrote:
> > > Sure, I agree with all of that. And I've said I'm
> > opening to nailing this down more with
> > > conventions and/or annotations. I'm even open to a
> > switch to turn it off.
> >
> > Which is where we are, right now, today.
> >
> >
> > >So let's dig deep and get to a consensus on what we
> > think the "right"
> > way to recommend
> > >working with Struts is.
> >
> > I'm all for that (or at least the right ways), and I
> > think we all
> > would agree that the switch isn't going to be removed
> > unless we are
> > all happy with whatever alternatives we find.
> >
> > As PMC members, we each have the unilateral right to
> > veto a change to
> > the codebase on technical grounds. If alternatives
> > can't accomplish
> > what the bang can accomplish, without bloating or
> > obfuscating the
> > configuration, then I think everyone would agree that
> > would be a
> > technical ground. (Or at least one of us would: if
> > the technical
> > ground isn't obvious, all you need is a second.)
> >
> > In my own mind, I never thought we'd remove the
> > switch before "phase
> > 2", when there might be other breaks in backward
> > compatiblity.
> >
> > Right now, the last thing I want to do is
> > disenfranchise the WebWork
> > community, because I want guys like Rainer over here
> > helping me push
> > out Struts 2.0.x releases. :)
> >
> > -Ted.
> >
> > ------------------------------------------------------
> > ---------------
> > To unsubscribe, e-mail:
> > dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail:
> > dev-help@struts.apache.org
> >
> >
> ---------------------------------------------------------------------
> Posted via Jive Forums
> http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=81550#81550
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>


-- 
HTH, Ted.
* http://www.husted.com/struts/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message