struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: [VOTE] [FAST TRACK] Struts 2.3.15.3
Date Wed, 16 Oct 2013 14:38:03 GMT
2013/10/16  <yuki.sugawara.sg@hitachi-systems.com>:
> Thanks Lukasz.
> This is not a vote, but additional questions.
>
> https://cwiki.apache.org/confluence/display/WW/S2-018
>> After upgrading to Struts 2.3.15.3, applications using the "action:" will stop working.
>
> We still want the "action:" works if possible, so we have added
>
> * struts.mapper.action.prefix.enabled
> * struts.mapper.action.prefix.crossNamespaces
>
> into struts.properties (or struts.xml) and set their value true as suggested as "Backward
Compatibility".
> But "action:" did not seem to work under 2.3.15.3 environment against our expectation.
> (Not 404 error like 2.3.15.2, but transit to the same page.)
>
> (Q1) Are those additional constants effective as mentioned in new S2-018?
> (Q2) Assume that the backward compatibility works, can we expect that applying 2.3.15.3
with setting the additional constants true is still valuable as a solution to the problem
"Broken Access Control Vulnerability" targeted in S2-018?

Are you sure? I have just tested (again) with struts2-blank and it
works as expected. You must have some strange configuration.

    <constant name="struts.mapper.action.prefix.enabled" value="true"/>
    <constant name="struts.mapper.action.prefix.crossNamespaces" value="true"/>

And I suggest to leave "struts.mapper.action.prefix.crossNamespaces" disabled.


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message