You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Rene Gielen (JIRA)" <ji...@apache.org> on 2007/08/23 11:22:35 UTC
[jira] Assigned: (WW-2052) Don't set result jsp file in request
parameter on redirect after POST
[ https://issues.apache.org/struts/browse/WW-2052?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen reassigned WW-2052:
-------------------------------
Assignee: Nils-Helge Garli (was: Rene Gielen)
Backport to 2.0.10 checked in.
Nils, please review.
> Don't set result jsp file in request parameter on redirect after POST
> ----------------------------------------------------------------------
>
> Key: WW-2052
> URL: https://issues.apache.org/struts/browse/WW-2052
> Project: Struts 2
> Issue Type: Improvement
> Components: Portlet Integration
> Affects Versions: 2.0.8
> Environment: JBoss Portal 2.6.0-CR3
> Reporter: Hubert Grininger
> Assignee: Nils-Helge Garli
> Fix For: 2.0.10, 2.1.0
>
>
> I have a form with method=POST.
> After sending the form, Struts2 does a redirect after POST (which is fine), but the URL used for redirecting now contains the paramater *location* whose value is the full path of the JSP file, eg:
> http://localhost:8080/portal/portal/default/MyPortletTutorial/MyPortletWindow?action=2&objectId=&struts.portlet.mode=view&location=%2FWEB-INF%2Fpages%2Fview%2FhelloWorld.jsp&struts.portlet.eventAction=true&struts.portlet.action=renderDirect
> It's not a bug but the jsp file's name is a kind of "secret" information which I don't want to disclose to everybody.
> Additionally this could be a security problem because now you can use the location property for selecting a JSP (I'm not quiete sure if this is a problem, but it doesn't sound comfortable :-) ).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.