struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Łukasz Lenart <lukasz.len...@googlemail.com>
Subject Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
Date Fri, 16 Dec 2011 07:13:07 GMT
Thanks Bruce, I'm checking that right now, give me some time


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Warszawa JUG conference - Confitura http://confitura.pl/


2011/12/15 bphillips@ku.edu <bphillips@ku.edu>:
> I'd previously
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> blogged about the security vulnerability  that exists when Struts dynamic
> method invocation is not disabled.  I was happy to learn that this
> vulnerability was addressed in the 2.3.1 release.
>
> However, after adding the strict-method-invocation="true" to my package
> statement a user of my example application is still able to execute any
> public method (for example getPassword) of the action class.
>
> I'm following the
> http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
> instructions here  that state to add  strict-method-invocation="true" to the
> package statement to prevent dynamic method invocation from executing any
> method except the method specified in the method attribute of the action.
>
> You can download the example application from my
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> blog post   to see how I tested the 2.3.1 release and dynamic method
> invocation.  See the readme file in the download for instructions on how to
> build and deploy the example.
>
> Have I missed some additional configuration that must be done to prevent
> dynamic method invocation from allowing the user to execute methods besides
> the method specified in the action's method attribute?
>
> Thank you for the assistance.
>
> --
> View this message in context: http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message