You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Johno Crawford (JIRA)" <ji...@apache.org> on 2013/05/17 15:21:16 UTC

[jira] [Commented] (WW-3973) WW-3866 overrides ParameterNameAware decision with interceptor settings

    [ https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13660701#comment-13660701 ] 

Johno Crawford commented on WW-3973:
------------------------------------

Bit late to the party <insert slowpoke pic>, we would love to see a configuration option for this to return the old behaviour, or a way to invoke the global check from the Action overriding ParameterNameAware, orrrr refactoring ParametersInterceptor so it's easier to extend.
                
> WW-3866 overrides ParameterNameAware decision with interceptor settings
> -----------------------------------------------------------------------
>
>                 Key: WW-3973
>                 URL: https://issues.apache.org/jira/browse/WW-3973
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.7
>            Reporter: Christoph Lenggenhager
>            Assignee: Lukasz Lenart
>             Fix For: 2.3.12
>
>
> The fix for WW-3866 (Revision 1379386) changes the logic for acceptable parameter names from
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  && (parameterNameAware == null || parameterNameAware.acceptableParameterName(name));
> {code}
> to
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  || (parameterNameAware != null && parameterNameAware.acceptableParameterName(name));
> {code}
> This might impose a security risk if implementations relied on their actions for parameter name validation (e.g. by explicitly whitelisting parameters).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira