struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Not calling ParameterNameAware.acceptableParameterName when implemented - since xwork 2.3.7
Date Tue, 16 Jul 2013 09:57:39 GMT
2013/7/13 Przemysław Celej <p-celej@o2.pl>:
> Hi,
>
> Recently we had to update Struts2 to most recent version due to security
> issues. After update we've noticed some strange behaviour, in my
> application every action implements ParameterNameAware interface, till
> yesterday I thought that interface's method acceptableParameterName() is
> called _everytime_ the Struts tries to set a parameter, and that was the
> case till Struts 2.3.7 came out, I found that now the method is called
> _only_ if parameter's name is not allowed by Strut's configuration (see
> ParametersInterceptor class comparison: [1] [2]). This behaviour allows
> manipulating internal action's properties whose name met configuration
> patterns - in practice, in most application this allows accessing bussiness
> logic layer that shouldn't be accessed by users in any way. What is worse,
> there is not mention in version notes for 2.3.7 [3] about this change.

This was already pointed out and resolved in [1] and description of
ParametersInterceptor was also extended [2]. You can always return to
the old behaviour overriding isAcceptableParameter() in
ParametersInterceptor.

I'm wondering if changing order of execution (ie. return
(parameterNameAware != null &&
parameterNameAware.acceptableParameterName(name) ||
acceptableName(name));) would be better? Or maybe revert to the old
behaviour?


[1] http://struts.apache.org/release/2.3.x/docs/version-notes-2312.html
[2] http://struts.apache.org/release/2.3.x/docs/parameters-interceptor.html


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message