struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <davelnew...@gmail.com>
Subject Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
Date Fri, 16 Dec 2011 14:41:49 GMT
Define "not working for you".

Dave

On Fri, Dec 16, 2011 at 2:17 AM, Reshmi <rasmi@trinitymobility.com> wrote:

> Dear Bruce,
>  I checked  the tag strict-method-invocation, but
>  <package  name="default"  extends="struts-default" namespace="/"
> strict-method-invocation="true" >
> </package>
> But it is not working for me .Give me some sample codes
> -----Original Message-----
> From: Łukasz Lenart [mailto:lukasz.lenart@googlemail.com]
> Sent: Friday, December 16, 2011 12:43 PM
> To: Struts Users Mailing List
> Subject: Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
>
> Thanks Bruce, I'm checking that right now, give me some time
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> Warszawa JUG conference - Confitura http://confitura.pl/
>
>
> 2011/12/15 bphillips@ku.edu <bphillips@ku.edu>:
> > I'd previously
> >
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> > blogged about the security vulnerability  that exists when Struts dynamic
> > method invocation is not disabled.  I was happy to learn that this
> > vulnerability was addressed in the 2.3.1 release.
> >
> > However, after adding the strict-method-invocation="true" to my package
> > statement a user of my example application is still able to execute any
> > public method (for example getPassword) of the action class.
> >
> > I'm following the
> >
> http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
> > instructions here  that state to add  strict-method-invocation="true" to
> the
> > package statement to prevent dynamic method invocation from executing any
> > method except the method specified in the method attribute of the action.
> >
> > You can download the example application from my
> >
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> > blog post   to see how I tested the 2.3.1 release and dynamic method
> > invocation.  See the readme file in the download for instructions on how
> to
> > build and deploy the example.
> >
> > Have I missed some additional configuration that must be done to prevent
> > dynamic method invocation from allowing the user to execute methods
> besides
> > the method specified in the action's method attribute?
> >
> > Thank you for the assistance.
> >
> > --
> > View this message in context:
> http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html
> > Sent from the Struts - User mailing list archive at Nabble.com.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message