struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: security impact after enabling back the "action:" prefix in Struts
Date Mon, 02 Dec 2013 07:02:20 GMT
2013/11/26 Miguel Almeida <>:
> Picking up on this topic, I noticed that disabling this feature will
> break any JSPs where you've set the action in the <s:submit> tag instead
> of the <s:form> tag.
> This is particularly problematic in situations where  for some reason
> you have one form with two submit tags, since the submit is the only
> place where you can distinguish the actions.
> This can also be related with a similar situation in s2-019, where the
> disabling of the DMI makes the method="" parameter of the tags unusable.
> I've learnt that this will be better handled in a future version of
> struts, so my assumption is that the normal behaviour will return in
> both situations on a future non-security release - hopefully the next
> one! Maybe someone from the dev team can share their input with us?

As I have already mentioned in other topic - we are discussing this
issue on private@ list but I will move the discussion here to see your

+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message