Re: [struts] s2 and DispatchAction

[Dale Newfield <Da...@Newfield.org>]

Moved from user list.

Dale Newfield wrote:
>> "?method:MY_METHOD_NAME"

> Is there any way to restrict which methods are valid there, or to
> turn this capability off?

Reading the source 
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.java?view=markup

indicates the answer is "no".

I propose adding a check for "allowDynamicMethodCalls" in this code as 
well (which if not set would effectively ignore the parameter).  I 
recognize that this may break some functionality (namely alternate 
submit buttons in forms), but as this is really a vulnerability, I think 
it is important to address...
...and we could regain the submit button functionality with javascript 
that changes the form submission action url...

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org