You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Johno Crawford (JIRA)" <ji...@apache.org> on 2013/05/17 15:21:16 UTC
[jira] [Commented] (WW-3973) WW-3866 overrides ParameterNameAware
decision with interceptor settings
[ https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13660701#comment-13660701 ]
Johno Crawford commented on WW-3973:
------------------------------------
Bit late to the party <insert slowpoke pic>, we would love to see a configuration option for this to return the old behaviour, or a way to invoke the global check from the Action overriding ParameterNameAware, orrrr refactoring ParametersInterceptor so it's easier to extend.
> WW-3866 overrides ParameterNameAware decision with interceptor settings
> -----------------------------------------------------------------------
>
> Key: WW-3973
> URL: https://issues.apache.org/jira/browse/WW-3973
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.7
> Reporter: Christoph Lenggenhager
> Assignee: Lukasz Lenart
> Fix For: 2.3.12
>
>
> The fix for WW-3866 (Revision 1379386) changes the logic for acceptable parameter names from
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
> boolean acceptableName = acceptableName(name)
> && (parameterNameAware == null || parameterNameAware.acceptableParameterName(name));
> {code}
> to
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
> boolean acceptableName = acceptableName(name)
> || (parameterNameAware != null && parameterNameAware.acceptableParameterName(name));
> {code}
> This might impose a security risk if implementations relied on their actions for parameter name validation (e.g. by explicitly whitelisting parameters).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira