struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krassen Deltchev" <>
Subject Re: security impact after enabling back the "action:" prefix in Struts
Date Sun, 01 Dec 2013 20:28:36 GMT
Dear Miguel!

Thank you very much for your thoughts on the problem and your feedback!
Keep the good work up!

Al the best!


Am 26.11.13 10:19, schrieb Miguel Almeida:
> Picking up on this topic, I noticed that disabling this feature will
> break any JSPs where you've set the action in the <s:submit> tag instead
> of the <s:form> tag.
> This is particularly problematic in situations where  for some reason
> you have one form with two submit tags, since the submit is the only
> place where you can distinguish the actions.
> This can also be related with a similar situation in s2-019, where the
> disabling of the DMI makes the method="" parameter of the tags unusable.
> I've learnt that this will be better handled in a future version of
> struts, so my assumption is that the normal behaviour will return in
> both situations on a future non-security release - hopefully the next
> one! Maybe someone from the dev team can share their input with us?
> Kind regards,
> Miguel Almeida
> On Wed, 2013-11-20 at 04:33 +0100, Krassen Deltchev wrote:
>> Dear Struts2 mailing list,
>> i have the following question(s)/ i need the following advice:
>> by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to:
>> for security reasons,
>> but i need to set it back to true(i.e. the
>> struts.mapper.action.prefix.enabled) because my actions do not work
>> after the library update and if i decide to go another way to solve this
>> issue, i need to do a lot of refactoring on my code;
>> So my question is:
>> if i enable the "action:" prefix, does it mean that, i automatically
>> compromise/expose my application to the security issues discussed in
>> s2-16, s2-17 and s2-18?
>> Is there a workaround for my scenario, that i can enable the prefix, but
>> still maintain the security level of my application considering the
>> enumerated above issues?(can i achieve better results if i tweak
>> properly the struts.mapper.action.prefix.crossNamespaces)
>> many thanks for your opinions and support!
>> Best,
>> krassen


Krassen Deltchev
M.Sc. Applied Computer Science, Ruhr-University of Bochum
LPIC I!/test2v

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message