struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manuel López Blasi <>
Subject Re: Regarding latest struts 2.3.x changes and issues with DMI and Wildcards
Date Wed, 29 Jan 2014 21:28:15 GMT
Thanks again Lukasz,

for question 1) Security issues: can you recommend some 
modifications/actions/alterations in maybe certain
parts of the code, any advice on weak points we can focus in regardings 
security issues?

for question 2)Prepare interceptor:  So there's no way of remove the 
"prepare" prefix? Maybe other implementation of
that Interceptor?

At this point my intention is to make a compromise between security and 
usability. Right now we are exposed cause we're using
and old version of the framework but on the other hand the refactor 
required to comply with the last version it's just too much.
I'm aiming at use the last version 2.3.16 with action.prefix enabled and 
try to add security elements in our code in the hope of
preventing attacks.

I know certain data can't be shared though this mailing list as it would 
expose vulnerabilities, maybe we can talk through
other chanel, personal email maybe? It would really help us if you could 
tell me some guidelines.

Your help would be greatly appreciated.
Thanks again for everything, cheerz.

El 29/01/2014 17:18, Lukasz Lenart escribió:
> 2014-01-29 Manuel López Blasi <>:
>> 1) Having the action.prefix enabled there's no intereference in the
>> securyity fixes introduced in the last versions, it should be all fully
>> working isn't it?
>> We have Dynamic Method Invocation disabled.
> No, action: prefix can be dangerous but it depends on security model
> implemented inside actions and application. I cannot share more on
> public mailing list to not disclose security vulnerability.
>> 2) Whe a button is clicked so it fires the method specified en the action
>> attribute of the s:submit tag it seems that it looks for the method
>> "prepareMethod" where Method is the method i specified, it seems that the
>> prefix "prepare" is appended. Is there a way to override or disable this
>> appending?
>> Same goes for the method validate, it is looking for "prepareValidate" , i
>> need to get rid of those appendings, since otherwise we would need to make a
>> huge refactor of
>> method namings in the project.
> It is because of prepare interceptor which is included in stack you
> are using. Basically prepareXXX is called to prepare action for
> execution of desired method.
> Regards

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message