struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: SMI on steroids
Date Fri, 05 Feb 2016 09:20:16 GMT
​my lastest comment..

The entry that we don't want is {1} style

PatternAllowedMethod{allowedMethodPattern=(.*), original='\{1\}'\}

which is don't check anything, effectively disabling SMI.

run{1}This style could be left in, as they are pretty restrictive, or is
there a regex for the pattern that could be added to the globals,
acknowledging there is a potential risk in your DMI?​

On 5 February 2016 at 09:04, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> Hi,
>
> There is a huge discussion about how SMI should work in case of using
> wildcard mapping [1]. Basically when action is defined as follow:
>
> <action name="person*" class="com.demo.PersonAction" method="{1}">
>     <result name="success">view.jsp</result>
>     <result name="input">input.jsp</result>
> </action>
>
> SMI will allow access any method in PersonAction class because {1} is
> translated into RegEx (.*) - as you can see SMI simply won't work
> here.
>
> Greg propose to drop the translation ({1} -> (.*)) and only base on
> what was defined in <global-allowed-methods/> or <allowed-method/> in
> that case, thus will truly limit access to methods.
>
> wdyt?
>
>
> [1] https://issues.apache.org/jira/browse/WW-4596
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message