struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krassen Deltchev" <krassen.deltc...@ruhr-uni-bochum.de>
Subject security impact after enabling back the "action:" prefix in Struts 2.3.15.3
Date Wed, 20 Nov 2013 03:33:48 GMT
Dear Struts2 mailing list,

i have the following question(s)/ i need the following advice:
by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to:
http://struts.apache.org/release/2.3.x/docs/s2-018
for security reasons,
but i need to set it back to true(i.e. the
struts.mapper.action.prefix.enabled) because my actions do not work
after the library update and if i decide to go another way to solve this
issue, i need to do a lot of refactoring on my code;
So my question is:
if i enable the "action:" prefix, does it mean that, i automatically
compromise/expose my application to the security issues discussed in
s2-16, s2-17 and s2-18?
Is there a workaround for my scenario, that i can enable the prefix, but
still maintain the security level of my application considering the
enumerated above issues?(can i achieve better results if i tweak
properly the struts.mapper.action.prefix.crossNamespaces)

many thanks for your opinions and support!

Best,

krassen
-- 

Krassen Deltchev
M.Sc. Applied Computer Science, Ruhr-University of Bochum
LPIC I
http://www.xing.com/profile/Krassen_Deltchev
http://de.linkedin.com/pub/krassen-deltchev/22/632/12
http://www.slideshare.net/test2v
https://twitter.com/#!/test2v

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message