struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mitth'raw'nuruodo (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4849) ObjectFactory constructor signature change breaks extensions
Date Wed, 06 Sep 2017 06:12:02 GMT

    [ https://issues.apache.org/jira/browse/WW-4849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16154858#comment-16154858
] 

Mitth'raw'nuruodo commented on WW-4849:
---------------------------------------

Sorry, I don't think I understand your reply properly.

"just drop in the plugin itself" - I'm not sure what you mean here. The {{guice-servlet}}
plugin (part of the Guice project) is no longer compatible with Struts as of release 2.5.13
due to the signature change. And I'm not sure that it can be made compatible, since it's supposed
to somehow take a no-arg constructor and yet pass a Container to its superclass. That doesn't
seem right to me. How is anyone supposed to correctly extend {{ObjectFactory}} now?

"there was no other way to fix the vulnerability" - Commit {{6f91d0776a545c911ca4f2875ed9976614711ef9}}
didn't even reference any JIRA issues. If it really was crucial to fixing vulnerabilities,
it probably should have been better documented. And is it really such a big problem to have
a no-arg constructor in {{ObjectFactory}}? I haven't been able to find detailed documentation
of the potential attack payloads, so I'm not clear on this.


> ObjectFactory constructor signature change breaks extensions
> ------------------------------------------------------------
>
>                 Key: WW-4849
>                 URL: https://issues.apache.org/jira/browse/WW-4849
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.5.13
>            Reporter: Mitth'raw'nuruodo
>             Fix For: 2.5.14
>
>
> Commit {{6f91d0776a545c911ca4f2875ed9976614711ef9}} changed the signature of the {{ObjectFactory}}
constructor, breaking all classes that extend {{ObjectFactory}} (as per https://struts.apache.org/docs/objectfactory.html).
This affects eg the [{{guice-servlet}} Struts plugin| https://github.com/google/guice/blob/master/extensions/struts2/src/com/google/inject/struts2/Struts2Factory.java].
> This was not listed on the [2.5.13 version notes|https://struts.apache.org/docs/version-notes-2513.html]
as a breaking change, and breaking changes should preferably be avoided in critical security
updates.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message