struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krassen Deltchev" <krassen.deltc...@ruhr-uni-bochum.de>
Subject Re: security impact after enabling back the "action:" prefix in Struts 2.3.15.3
Date Sun, 01 Dec 2013 20:28:36 GMT
Dear Miguel!

Thank you very much for your thoughts on the problem and your feedback!
Keep the good work up!

Al the best!

krassen

Am 26.11.13 10:19, schrieb Miguel Almeida:
> Picking up on this topic, I noticed that disabling this feature will
> break any JSPs where you've set the action in the <s:submit> tag instead
> of the <s:form> tag.
> 
> This is particularly problematic in situations where  for some reason
> you have one form with two submit tags, since the submit is the only
> place where you can distinguish the actions.
> 
> This can also be related with a similar situation in s2-019, where the
> disabling of the DMI makes the method="" parameter of the tags unusable.
> 
> I've learnt that this will be better handled in a future version of
> struts, so my assumption is that the normal behaviour will return in
> both situations on a future non-security release - hopefully the next
> one! Maybe someone from the dev team can share their input with us?
> 
> 
> Kind regards,
> Miguel Almeida
> 
> On Wed, 2013-11-20 at 04:33 +0100, Krassen Deltchev wrote:
> 
>> Dear Struts2 mailing list,
>>
>> i have the following question(s)/ i need the following advice:
>> by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to:
>> http://struts.apache.org/release/2.3.x/docs/s2-018
>> for security reasons,
>> but i need to set it back to true(i.e. the
>> struts.mapper.action.prefix.enabled) because my actions do not work
>> after the library update and if i decide to go another way to solve this
>> issue, i need to do a lot of refactoring on my code;
>> So my question is:
>> if i enable the "action:" prefix, does it mean that, i automatically
>> compromise/expose my application to the security issues discussed in
>> s2-16, s2-17 and s2-18?
>> Is there a workaround for my scenario, that i can enable the prefix, but
>> still maintain the security level of my application considering the
>> enumerated above issues?(can i achieve better results if i tweak
>> properly the struts.mapper.action.prefix.crossNamespaces)
>>
>> many thanks for your opinions and support!
>>
>> Best,
>>
>> krassen
> 
> 
> 


-- 

Krassen Deltchev
M.Sc. Applied Computer Science, Ruhr-University of Bochum
LPIC I
http://www.xing.com/profile/Krassen_Deltchev
http://de.linkedin.com/pub/krassen-deltchev/22/632/12
http://www.slideshare.net/test2v
https://twitter.com/#!/test2v

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message