You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Jasper Rosenberg (JIRA)" <ji...@apache.org> on 2009/08/04 13:50:59 UTC

[jira] Created: (WW-3213) StaticParametersInterceptor does not set setDenyMethodExecution()

StaticParametersInterceptor does not set setDenyMethodExecution()
-----------------------------------------------------------------

                 Key: WW-3213
                 URL: https://issues.apache.org/struts/browse/WW-3213
             Project: Struts 2
          Issue Type: Bug
          Components: Core Interceptors
    Affects Versions: 2.1.7, 2.1.6
            Reporter: Jasper Rosenberg
             Fix For: 2.0.15, 2.1.8


Static parameters can be set from wildcards in the action name, so I believe they are also vulnerable to ognl method invocation security issues.

Perhaps StaticParametersInterceptor could be refactored to extend ParametersInterceptor just as ActionMappingParametersInteceptor does?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WW-3213) StaticParametersInterceptor does not set setDenyMethodExecution()

Posted by "Musachy Barroso (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/struts/browse/WW-3213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Musachy Barroso resolved WW-3213.
---------------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 2.0.15)

fixed in xwork trunk. The static params interceptor will now create an empty stack used to set the params, just like the params interceptor does

> StaticParametersInterceptor does not set setDenyMethodExecution()
> -----------------------------------------------------------------
>
>                 Key: WW-3213
>                 URL: https://issues.apache.org/struts/browse/WW-3213
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.1.6, 2.1.7
>            Reporter: Jasper Rosenberg
>             Fix For: 2.1.8
>
>
> Static parameters can be set from wildcards in the action name, so I believe they are also vulnerable to ognl method invocation security issues.
> Perhaps StaticParametersInterceptor could be refactored to extend ParametersInterceptor just as ActionMappingParametersInteceptor does?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.