struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4616) Unable to receive GET parameters with field name 'cId'
Date Thu, 24 Mar 2016 07:18:25 GMT

    [ https://issues.apache.org/jira/browse/WW-4616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15209905#comment-15209905
] 

Lukasz Lenart commented on WW-4616:
-----------------------------------

Reverting back to OGNL 3.0.6 won't affect CVE-2016-0785, you can even use your 2.3.20, 2.3.24
and 2.3.24.1 Struts version by just adding the following constant into {{struts.xml}}

{code:xml}
<constant name="struts.excludedClasses"
          value="
            java.lang.Object,
            java.lang.Runtime,
            java.lang.System,
            java.lang.Class,
            java.lang.ClassLoader,
            java.lang.Shutdown,
            java.lang.ProcessBuilder,
            ognl.OgnlContext,
            ognl.ClassResolver,
            ognl.TypeConverter,
            com.opensymphony.xwork2.ognl.SecurityMemberAccess,
            com.opensymphony.xwork2.ActionContext" />
{code}

> Unable to receive GET parameters with field name 'cId'
> ------------------------------------------------------
>
>                 Key: WW-4616
>                 URL: https://issues.apache.org/jira/browse/WW-4616
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.28
>         Environment: CentOS6/Windows7, Oracle Java 1.8.0_74, Tomcat6
>            Reporter: Takeshi Nakashima
>
> After I upgraded Struts from  2.3.24.1 to 2.3.28, some action classes got unable to receive
some GET parameters.
> The action classes have fields and setter methods like below.
> private int cId;
> public void setCId(int cId) {
> 	this.cId = cId;
> }
> private int blockId;
> public void setBlockId(int blockId) {
> 	this.blockId = blockId;
> }
> http://localhost:8080/app/XXX.action?cId=9&blockId=145
> When I send an HTTP request from a link like above, the action class only receive only
'blockId' value. 
> cId=0
> num=145
> But if I change the field name 'cId' to 'cid' and the method name 'setCId' to 'setCid',
the GET value 9 will be passed to 'cid'.
> cid=9
> num=145



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message