struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "bphillips@ku.edu" <bphill...@ku.edu>
Subject Dynamic Method Invocation Changes In Struts 2.3.1 Release
Date Thu, 15 Dec 2011 14:21:30 GMT
I'd previously 
http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
blogged about the security vulnerability  that exists when Struts dynamic
method invocation is not disabled.  I was happy to learn that this
vulnerability was addressed in the 2.3.1 release.

However, after adding the strict-method-invocation="true" to my package
statement a user of my example application is still able to execute any
public method (for example getPassword) of the action class.

I'm following the 
http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
instructions here  that state to add  strict-method-invocation="true" to the
package statement to prevent dynamic method invocation from executing any
method except the method specified in the method attribute of the action.

You can download the example application from my 
http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
blog post   to see how I tested the 2.3.1 release and dynamic method
invocation.  See the readme file in the download for instructions on how to
build and deploy the example.

Have I missed some additional configuration that must be done to prevent
dynamic method invocation from allowing the user to execute methods besides
the method specified in the action's method attribute?  

Thank you for the assistance.

--
View this message in context: http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html
Sent from the Struts - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message