struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christoph Lenggenhager (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-3973) WW-3866 overrides ParameterNameAware decision with interceptor settings
Date Tue, 22 Jan 2013 16:28:12 GMT

    [ https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13559744#comment-13559744
] 

Christoph Lenggenhager commented on WW-3973:
--------------------------------------------

Obviously, it is not big deal to move the whole validation process into ParameterNameAware
actions and configure the interceptor not to accept any parameter. However, we would have
been quite exposed if we hadn't detected this during testing as our actions do parameter whitelisting.
                
> WW-3866 overrides ParameterNameAware decision with interceptor settings
> -----------------------------------------------------------------------
>
>                 Key: WW-3973
>                 URL: https://issues.apache.org/jira/browse/WW-3973
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.7
>            Reporter: Christoph Lenggenhager
>
> The fix for WW-3866 (Revision 1379386) changes the logic for acceptable parameter names
from
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  && (parameterNameAware == null || parameterNameAware.acceptableParameterName(name));
> {code}
> to
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  || (parameterNameAware != null && parameterNameAware.acceptableParameterName(name));
> {code}
> This might impose a security risk if implementations relied on their actions for parameter
name validation (e.g. by explicitly whitelisting parameters).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message