struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (WW-4469) Avoid sending Struts text in HTTP Response Headers
Date Fri, 29 Jan 2016 17:02:40 GMT

     [ https://issues.apache.org/jira/browse/WW-4469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Lukasz Lenart resolved WW-4469.
-------------------------------
    Resolution: Won't Fix

> Avoid sending Struts text in HTTP Response Headers
> --------------------------------------------------
>
>                 Key: WW-4469
>                 URL: https://issues.apache.org/jira/browse/WW-4469
>             Project: Struts 2
>          Issue Type: Improvement
>    Affects Versions: 2.3.20
>         Environment: Ubuntu 14.04 LST Server x64, JDK 8_31
>            Reporter: NZa
>             Fix For: 2.3.25
>
>
> In ticket WW-4085 a default-action-ref name was introduces which works fine in order
to avoid messages like "There is no Action mapped for namespace [/config-browser] and action
name [] associated with context path [/struts2-javatemplate].": 
> {code:xml}
> <package name="/" extends="struts-default">
>         <default-action-ref name="HelloWorld" />
>         <action name="HelloWorld">
>             <result type="redirectAction">
>                 <param name="actionName">HelloWorld</param>
>                 <param name="namespace">example</param>
>             </result>
>         </action>
>     </package>
> {code}
> It is possible to also get messages like this:
> There is no Action mapped for namespace [/references/asdasd] and action name [asdasd]
associated with context path [].
> Assuming we have the following configuration (this is in our example the one and only
package): 
> {code:xml}
> <package name="root" extends="struts-default" namespace="/">
>         <default-action-ref name="HelloWorld" />
>         <action name="HelloWorld">
>             <result type="redirectAction">
>                 <param name="actionName">HelloWorld</param>
>                 <param name="namespace">example</param>
>             </result>
>         </action>
>     </package>
> {code}
> Case 1: http://localhost:8080/asdasd 
> This works as expected, our default-action-ref "HelloWorld" is called.
> Case 2: http://localhost:8080/asdasd/asdasdasd
> This works as expected, our default-action-ref "HelloWorld" is called.
> Case 3: http://localhost:8080/asdasd/asdasdasd/asdasd and so on
> Like Case 2...
> Case 2 and 3 will have a HTTP 404 response with the Struts error message.
> I believe it is a good idea to have something that is called by the Dispatcher in case
namespace + action is not found.
> Improvement 1:
> Don't write typical Struts messages like "There is no Action mapped for namespace [/references/asdasd]
and action name [asdasd] associated with context path []." into HTTP Header response fields
if in PROD mode (it allows hackers to assume that the server is based on Struts, obfuscation
is better...)
> Improvement 2:
> Allow maybe something like <default-not-found-action-ref name="Http404" /> similar
to ticket WW-4085 to be in sync.
> I believe that the current workaround is something like this (which should also be documented
better):
> {code:xml}
> <struts>
>     <unknown-handler-stack>
>         <unknown-handler-ref name="MyUnknownHandler1" />
>         <unknown-handler-ref name="MyUnknownHandler2" />
>     </unknown-handler-stack>
> </struts>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message