Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 50046200C89 for ; Fri, 19 May 2017 13:06:08 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 4E7D8160BBE; Fri, 19 May 2017 11:06:08 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9D017160BD1 for ; Fri, 19 May 2017 13:06:07 +0200 (CEST) Received: (qmail 36320 invoked by uid 500); 19 May 2017 11:06:06 -0000 Mailing-List: contact issues-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list issues@struts.apache.org Received: (qmail 36283 invoked by uid 99); 19 May 2017 11:06:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 May 2017 11:06:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 3CC21C05B0 for ; Fri, 19 May 2017 11:06:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.201 X-Spam-Level: X-Spam-Status: No, score=-99.201 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id C3W4jiSNszvj for ; Fri, 19 May 2017 11:06:05 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id EB3655FC64 for ; Fri, 19 May 2017 11:06:04 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 810CCE01A8 for ; Fri, 19 May 2017 11:06:04 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 39E392193A for ; Fri, 19 May 2017 11:06:04 +0000 (UTC) Date: Fri, 19 May 2017 11:06:04 +0000 (UTC) From: "Yasser Zamani (JIRA)" To: issues@struts.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Issue Comment Deleted] (WW-4751) Struts2 should know and consider config time class of user's Actions MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 19 May 2017 11:06:08 -0000 [ https://issues.apache.org/jira/browse/WW-4751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Yasser Zamani updated WW-4751: ------------------------------ Comment: was deleted (was: WW-4105 nicely fixed by this approach i.e. considering config time class of action when copying properties in actions chain :) you can see a [list of changes here|https://github.com/yasserzamani/struts/commit/e95224f26aa17dad6ad490473b4aeab1d2ceaf79]. Now I am working on Parameters Interceptor. Considering config time class of action there, enhances S2 security by preventing proxy information of a proxied action to be changed by attacker!) > Struts2 should know and consider config time class of user's Actions > -------------------------------------------------------------------- > > Key: WW-4751 > URL: https://issues.apache.org/jira/browse/WW-4751 > Project: Struts 2 > Issue Type: Improvement > Reporter: Yasser Zamani > Priority: Minor > Fix For: 2.5.next > > > I see some issues like WW-4105 , WW-4694 and WW-4498 suffers lack of this information i.e. config time class of user's action. > I also know future issues like below are possible or potential to occur when Struts2 give Actions up to an object factory and, himself does not know any more about Action's real class (i.e. when user set className to a bean name inside his object factory): > * JSONResult will fail or will generate ugly json when the action is an AOPed proxy. Because JSONResult tries to generate json from un-relevant information like advices and etc. > * In a security point of view, someone may successfully change that action proxy or aop information simply by calling that action submitting some named parameters. > I know these are solvable by enforcing user to specify includes/excludes parameters but more better and beauty approach is as below: > (proxied action) -> ... -> (some subclass of action) -> ... -> (*user config time specified class*) -> ... -> (some superclass of action) -> ... -> Struts2's ActionSupport -> ... > If we suppose the above as type hierarchy of the action, knowing *user config time specified class*, Struts2 can exclude all sub-classes above this class and all super classes under and including ActionSupport in all sensitive places to avoid potential future issues. > What do you think? :) -- This message was sent by Atlassian JIRA (v6.3.15#6346)