You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "lukaszlenart (via GitHub)" <gi...@apache.org> on 2023/03/07 06:30:11 UTC

[GitHub] [struts] lukaszlenart commented on pull request #663: WW-5267 Add option to generate ActionContext for excluded URLs

lukaszlenart commented on PR #663:
URL: https://github.com/apache/struts/pull/663#issuecomment-1457617483

   > > right now it would be possible to access `ActionContext` out of action, directly from JSP?
   > 
   > Not clear on what you mean, how so?
   
   If the flag is "on" and the request matches excluded urls, the `ActionContext` will be available in non-Struts managed endpoints. By design all the requests should be handled by the actions first and then forwarded into view layer (like JSP or Freemarker) - this also involves the whole security mechanism embedded into _normal_ flow (interceptors).
   
   With this change it is possible to overuse this functionality by having an excluded url and still accessing `ActionContext` out of action scope directly from JSP or Freemarker. User is "escaping" from Struts sandbox, yet having option to operate on `ActionContext` like `ActionContext.getContext().getContainer()`.
   
   This raises security concerns tbh.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org