struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Miguel Almeida <>
Subject Re: security impact after enabling back the "action:" prefix in Struts
Date Tue, 26 Nov 2013 09:19:06 GMT
Picking up on this topic, I noticed that disabling this feature will
break any JSPs where you've set the action in the <s:submit> tag instead
of the <s:form> tag.

This is particularly problematic in situations where  for some reason
you have one form with two submit tags, since the submit is the only
place where you can distinguish the actions.

This can also be related with a similar situation in s2-019, where the
disabling of the DMI makes the method="" parameter of the tags unusable.

I've learnt that this will be better handled in a future version of
struts, so my assumption is that the normal behaviour will return in
both situations on a future non-security release - hopefully the next
one! Maybe someone from the dev team can share their input with us?

Kind regards,
Miguel Almeida

On Wed, 2013-11-20 at 04:33 +0100, Krassen Deltchev wrote:

> Dear Struts2 mailing list,
> i have the following question(s)/ i need the following advice:
> by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to:
> for security reasons,
> but i need to set it back to true(i.e. the
> struts.mapper.action.prefix.enabled) because my actions do not work
> after the library update and if i decide to go another way to solve this
> issue, i need to do a lot of refactoring on my code;
> So my question is:
> if i enable the "action:" prefix, does it mean that, i automatically
> compromise/expose my application to the security issues discussed in
> s2-16, s2-17 and s2-18?
> Is there a workaround for my scenario, that i can enable the prefix, but
> still maintain the security level of my application considering the
> enumerated above issues?(can i achieve better results if i tweak
> properly the struts.mapper.action.prefix.crossNamespaces)
> many thanks for your opinions and support!
> Best,
> krassen

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message