You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Christoph Lenggenhager (JIRA)" <ji...@apache.org> on 2013/01/22 17:28:12 UTC

[jira] [Commented] (WW-3973) WW-3866 overrides ParameterNameAware decision with interceptor settings

    [ https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13559744#comment-13559744 ] 

Christoph Lenggenhager commented on WW-3973:
--------------------------------------------

Obviously, it is not big deal to move the whole validation process into ParameterNameAware actions and configure the interceptor not to accept any parameter. However, we would have been quite exposed if we hadn't detected this during testing as our actions do parameter whitelisting.
                
> WW-3866 overrides ParameterNameAware decision with interceptor settings
> -----------------------------------------------------------------------
>
>                 Key: WW-3973
>                 URL: https://issues.apache.org/jira/browse/WW-3973
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.7
>            Reporter: Christoph Lenggenhager
>
> The fix for WW-3866 (Revision 1379386) changes the logic for acceptable parameter names from
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  && (parameterNameAware == null || parameterNameAware.acceptableParameterName(name));
> {code}
> to
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  || (parameterNameAware != null && parameterNameAware.acceptableParameterName(name));
> {code}
> This might impose a security risk if implementations relied on their actions for parameter name validation (e.g. by explicitly whitelisting parameters).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira