struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: security impact after enabling back the "action:" prefix in Struts 2.3.15.3
Date Mon, 02 Dec 2013 07:02:20 GMT
2013/11/26 Miguel Almeida <miguel@almeida.at>:
> Picking up on this topic, I noticed that disabling this feature will
> break any JSPs where you've set the action in the <s:submit> tag instead
> of the <s:form> tag.
>
> This is particularly problematic in situations where  for some reason
> you have one form with two submit tags, since the submit is the only
> place where you can distinguish the actions.
>
> This can also be related with a similar situation in s2-019, where the
> disabling of the DMI makes the method="" parameter of the tags unusable.
>
> I've learnt that this will be better handled in a future version of
> struts, so my assumption is that the normal behaviour will return in
> both situations on a future non-security release - hopefully the next
> one! Maybe someone from the dev team can share their input with us?

As I have already mentioned in other topic - we are discussing this
issue on private@ list but I will move the discussion here to see your
inputs.


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message