You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Dale Newfield <Da...@Newfield.org> on 2007/11/12 20:02:52 UTC
Re: [struts] s2 and DispatchAction
Moved from user list.
Dale Newfield wrote:
>> "?method:MY_METHOD_NAME"
> Is there any way to restrict which methods are valid there, or to
> turn this capability off?
Reading the source
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.java?view=markup
indicates the answer is "no".
I propose adding a check for "allowDynamicMethodCalls" in this code as
well (which if not set would effectively ignore the parameter). I
recognize that this may break some functionality (namely alternate
submit buttons in forms), but as this is really a vulnerability, I think
it is important to address...
...and we could regain the submit button functionality with javascript
that changes the form submission action url...
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org