struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Takeshi Nakashima (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (WW-4616) Unable to receive GET parameters with field name 'cId'
Date Thu, 24 Mar 2016 07:07:25 GMT

    [ https://issues.apache.org/jira/browse/WW-4616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15209894#comment-15209894
] 

Takeshi Nakashima edited comment on WW-4616 at 3/24/16 7:07 AM:
----------------------------------------------------------------

Lukasz

Thank you very much for the information.
And I'm sorry for taking your time. Now I have found some similar questions on the Internet.


But I still have a question.
Are you sure if the reversion from ognl-3.0.13.jar to the old ognl-3.0.6.jar does not affect
the security fix for CVE-2016-0785 ?

I guess only struts2-core-2.3.28.jar and xwork-core-2.3.28.jar are reqiured to fix CVE-2016-0785
but I'm not 100% sure about it.


was (Author: takeshi.n):
Lukasz

Thank you very much for the information.
And I'm sorry for taking your time. Now I have found some similar questions on the Internet.


But I still have a question.
Are you sure if the reversion from ognl-3.0.13.jar to the old ognl-3.0.6.jar does not affect
the security fix for CVE-2016-0785 ?

I guess only struts2-core-2.3.28.jar and xwork-core-2.3.28.jar are reqiured fix CVE-2016-0785
but I'm not 100% sure about it.

> Unable to receive GET parameters with field name 'cId'
> ------------------------------------------------------
>
>                 Key: WW-4616
>                 URL: https://issues.apache.org/jira/browse/WW-4616
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.28
>         Environment: CentOS6/Windows7, Oracle Java 1.8.0_74, Tomcat6
>            Reporter: Takeshi Nakashima
>
> After I upgraded Struts from  2.3.24.1 to 2.3.28, some action classes got unable to receive
some GET parameters.
> The action classes have fields and setter methods like below.
> private int cId;
> public void setCId(int cId) {
> 	this.cId = cId;
> }
> private int blockId;
> public void setBlockId(int blockId) {
> 	this.blockId = blockId;
> }
> http://localhost:8080/app/XXX.action?cId=9&blockId=145
> When I send an HTTP request from a link like above, the action class only receive only
'blockId' value. 
> cId=0
> num=145
> But if I change the field name 'cId' to 'cid' and the method name 'setCId' to 'setCid',
the GET value 9 will be passed to 'cid'.
> cid=9
> num=145



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message