You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Jasper Rosenberg (JIRA)" <ji...@apache.org> on 2009/08/04 13:50:59 UTC
[jira] Created: (WW-3213) StaticParametersInterceptor does not set
setDenyMethodExecution()
StaticParametersInterceptor does not set setDenyMethodExecution()
-----------------------------------------------------------------
Key: WW-3213
URL: https://issues.apache.org/struts/browse/WW-3213
Project: Struts 2
Issue Type: Bug
Components: Core Interceptors
Affects Versions: 2.1.7, 2.1.6
Reporter: Jasper Rosenberg
Fix For: 2.0.15, 2.1.8
Static parameters can be set from wildcards in the action name, so I believe they are also vulnerable to ognl method invocation security issues.
Perhaps StaticParametersInterceptor could be refactored to extend ParametersInterceptor just as ActionMappingParametersInteceptor does?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (WW-3213) StaticParametersInterceptor does not set
setDenyMethodExecution()
Posted by "Musachy Barroso (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/struts/browse/WW-3213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Musachy Barroso resolved WW-3213.
---------------------------------
Resolution: Fixed
Fix Version/s: (was: 2.0.15)
fixed in xwork trunk. The static params interceptor will now create an empty stack used to set the params, just like the params interceptor does
> StaticParametersInterceptor does not set setDenyMethodExecution()
> -----------------------------------------------------------------
>
> Key: WW-3213
> URL: https://issues.apache.org/struts/browse/WW-3213
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 2.1.6, 2.1.7
> Reporter: Jasper Rosenberg
> Fix For: 2.1.8
>
>
> Static parameters can be set from wildcards in the action name, so I believe they are also vulnerable to ognl method invocation security issues.
> Perhaps StaticParametersInterceptor could be refactored to extend ParametersInterceptor just as ActionMappingParametersInteceptor does?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.