struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christoph Lenggenhager (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-3973) WW-3866 overrides ParameterNameAware decision with interceptor settings
Date Mon, 28 Jan 2013 13:03:12 GMT

    [ https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13564254#comment-13564254
] 

Christoph Lenggenhager commented on WW-3973:
--------------------------------------------

I would not opt for a switch, because configuration in this area should be as simple as possible.
I understand the point with too restrictive rules.
I think it is definitively worth a disclaimer in the docs (and maybe in the release notes
if possible).
We can live with a won't fix, now that we found out about it.
Thank you that you took the time to discuss it.



                
> WW-3866 overrides ParameterNameAware decision with interceptor settings
> -----------------------------------------------------------------------
>
>                 Key: WW-3973
>                 URL: https://issues.apache.org/jira/browse/WW-3973
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.7
>            Reporter: Christoph Lenggenhager
>             Fix For: 2.3.9
>
>
> The fix for WW-3866 (Revision 1379386) changes the logic for acceptable parameter names
from
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  && (parameterNameAware == null || parameterNameAware.acceptableParameterName(name));
> {code}
> to
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  || (parameterNameAware != null && parameterNameAware.acceptableParameterName(name));
> {code}
> This might impose a security risk if implementations relied on their actions for parameter
name validation (e.g. by explicitly whitelisting parameters).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message