You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Musachy Barroso (JIRA)" <ji...@apache.org> on 2009/08/13 01:03:59 UTC

[jira] Resolved: (WW-3214) AliasInterceptor does not set setDenyMethodExecution()

     [ https://issues.apache.org/struts/browse/WW-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Musachy Barroso resolved WW-3214.
---------------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 2.0.15)

> AliasInterceptor does not set setDenyMethodExecution()
> ------------------------------------------------------
>
>                 Key: WW-3214
>                 URL: https://issues.apache.org/struts/browse/WW-3214
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.1.6, 2.1.7
>            Reporter: Jasper Rosenberg
>             Fix For: 2.1.8
>
>
> There are actually a lot of issues with AliasInterceptor:
> 1. It injects the aliased parameter without first setting ReflectionContextState.setDenyMethodExecution(contextMap, true).  This is a security issue.
> 2. It doesn't handle conversion errors
> 3. It doesn't set setCreatingNullObjects(contextMap, true) like all other parameter injecting interceptors
> 4. It uses a different instance of the parameter map than all of the other parameter related interceptors (stack.getContext().get("parameters") rather than ac.getParameters())
> 5. It doesn't offer an option to not inject the other parameters later on (in other words if I alias A to B, the contents of A gets injected twice once as A, and once as B assuming I have ParameterInterceptor in the stack too and haven't explicitly filtered out A.)  This is more of an enhancement request of course.
> My 2 cents is that the AliasInterceptor should just be deprecated, and the ability to alias a parameter should just be moved to ParameterInterceptor.  It would be nice too because, if you made static parms also extend parms (WW-3213), then all three parameter injecting interceptors would support aliasing.   That would be a nice consistency, and useful now that static-parms can be set by wildcards.  Issue 5. could be more easily implemented from within the main parms interceptor as well.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.