You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by lukaszlenart <gi...@git.apache.org> on 2015/09/01 08:10:12 UTC
[GitHub] struts pull request: WW-4540: Strict DMI
GitHub user lukaszlenart opened a pull request:
https://github.com/apache/struts/pull/47
WW-4540: Strict DMI
This PR enables `Strict DMI` be default (or rather it's always enabled). Thus will limit possible methods which can be called and executed as an action methods.
Right now you can configure `global-allowed-methods` and `allowed-methods` via `struts.xml` only but I'm going to add support for annotations as well.
To use the new functionality you must update DTD definition to `2.5`
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/lukaszlenart/struts strict-dmi
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/struts/pull/47.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #47
----
commit 065b5b79ae068ab7891a4232a0769290fd21bb17
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T12:31:59Z
Drops wildcard as a valid action method
commit ce884e92a15ef601b0e119963d3c521fa68d8bb1
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T12:33:31Z
Defines global-allowed-methods
commit fd22e3a16c88ef0528c1e26e0d6bdfdf1c02c755
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T12:35:16Z
Uses global-allowed-methods config para
commit 55b8070048cbec0a6e08b1781f81b1bfdb3354f2
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T12:41:57Z
Drops strict DMI
commit fb0c4a58507c7fb1af135bb376af5b475f43d7ee
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T12:42:44Z
Drops outdated attribute
commit 4565993463f660e9be90b9fe9c3597ce54b58917
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T12:43:21Z
Extends Unknown Handler to allowed check if method is allowed
commit c3f4457b8b8ad6bd0e89646d825f2ef5f9f91118
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T12:43:31Z
Fixes tests
commit c1928ad06bdfbe245b1ed7d5bfeb07ed9bface37
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T16:36:04Z
Fixes tests
commit 3b31c428856766389ad6df4ba1edc3d60ecf5e24
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T16:36:29Z
Adds support for wildcards
commit 185530464b838b3aac9681b5ff5b16401ccef56d
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T16:36:41Z
Simplifies implementation
commit 47a01eab10d940fdc134cb666d3d2db0280d8ca8
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T18:28:45Z
Fixes typo
commit 63bb6e30e75facf5382608857494cf971f0378dd
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T19:06:06Z
Adds missing comma
commit 4c7a7dd6c02457cf006318ed4621b7c432cc478c
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T19:46:16Z
Adds null-safety
commit 77691563b9b8d2ad01c078a66d1ed207bf3611b3
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T19:46:47Z
Implements required method
commit dd406fbb04e755c0545c318c3ea099674fb78363
Author: Lukasz Lenart <lu...@apache.org>
Date: 2015-08-31T19:46:55Z
Fixes test
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> From: Lukasz Lenart <lu...@apache.org>
> To: Struts Developers List <de...@struts.apache.org>,
> Date: 01.09.2015 08:19
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I have enabled Strict DMI by default, right now configuration via
> struts.xml is supported only but I'm going to add support for
> annotations as well. When it will be done I will push a new BETA
>
>
Looking forward to it!
>
> 2015-09-01 8:10 GMT+02:00 lukaszlenart <gi...@git.apache.org>:
> > GitHub user lukaszlenart opened a pull request:
> >
> > https://github.com/apache/struts/pull/47
> >
> > WW-4540: Strict DMI
> >
> > This PR enables `Strict DMI` be default (or rather it's always
> enabled). Thus will limit possible methods which can be called and
> executed as an action methods.
> >
> > Right now you can configure `global-allowed-methods` and
> `allowed-methods` via `struts.xml` only but I'm going to add support
> for annotations as well.
> >
> > To use the new functionality you must update DTD definition to
`2.5`
> >
> > You can merge this pull request into a Git repository by running:
> >
> > $ git pull https://github.com/lukaszlenart/struts strict-dmi
> >
> > Alternatively you can review and apply these changes as the patch at:
> >
> > https://github.com/apache/struts/pull/47.patch
> >
> > To close this pull request, make a commit to your master/trunk branch
> > with (at least) the following in the commit message:
> >
> > This closes #47
> >
> > ----
> > commit 065b5b79ae068ab7891a4232a0769290fd21bb17
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T12:31:59Z
> >
> > Drops wildcard as a valid action method
> >
> > commit ce884e92a15ef601b0e119963d3c521fa68d8bb1
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T12:33:31Z
> >
> > Defines global-allowed-methods
> >
> > commit fd22e3a16c88ef0528c1e26e0d6bdfdf1c02c755
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T12:35:16Z
> >
> > Uses global-allowed-methods config para
> >
> > commit 55b8070048cbec0a6e08b1781f81b1bfdb3354f2
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T12:41:57Z
> >
> > Drops strict DMI
> >
> > commit fb0c4a58507c7fb1af135bb376af5b475f43d7ee
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T12:42:44Z
> >
> > Drops outdated attribute
> >
> > commit 4565993463f660e9be90b9fe9c3597ce54b58917
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T12:43:21Z
> >
> > Extends Unknown Handler to allowed check if method is allowed
> >
> > commit c3f4457b8b8ad6bd0e89646d825f2ef5f9f91118
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T12:43:31Z
> >
> > Fixes tests
> >
> > commit c1928ad06bdfbe245b1ed7d5bfeb07ed9bface37
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T16:36:04Z
> >
> > Fixes tests
> >
> > commit 3b31c428856766389ad6df4ba1edc3d60ecf5e24
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T16:36:29Z
> >
> > Adds support for wildcards
> >
> > commit 185530464b838b3aac9681b5ff5b16401ccef56d
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T16:36:41Z
> >
> > Simplifies implementation
> >
> > commit 47a01eab10d940fdc134cb666d3d2db0280d8ca8
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T18:28:45Z
> >
> > Fixes typo
> >
> > commit 63bb6e30e75facf5382608857494cf971f0378dd
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T19:06:06Z
> >
> > Adds missing comma
> >
> > commit 4c7a7dd6c02457cf006318ed4621b7c432cc478c
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T19:46:16Z
> >
> > Adds null-safety
> >
> > commit 77691563b9b8d2ad01c078a66d1ed207bf3611b3
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T19:46:47Z
> >
> > Implements required method
> >
> > commit dd406fbb04e755c0545c318c3ea099674fb78363
> > Author: Lukasz Lenart <lu...@apache.org>
> > Date: 2015-08-31T19:46:55Z
> >
> > Fixes test
> >
> > ----
> >
> >
> > ---
> > If your project is set up for it, you can reply to this email and have
your
> > reply appear on GitHub as well. If your project does not have this
feature
> > enabled and wishes so, or if the feature is enabled but not working,
please
> > contact infrastructure at infrastructure@apache.org or file a JIRA
ticket
> > with INFRA.
> > ---
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> > I was wondering why the method was not blocked in Greg's sample. I
tried
> > to reproduce his case based on Łukasz' sample app. But no luck.
> >
> > With <s:submit action="" /> the framework never invoked the action
> > specified there. It was always the form-action and it's execute()
method.
>
> You must enable DMI
>
> <constant name="struts.enable.DynamicMethodInvocation" value="true"/>
>
> https://struts.apache.org/docs/action-
> configuration.html#ActionConfiguration-DynamicMethodInvocation
>
>
It is enabled. Other ways to invoke methods do work, like a parameter with
'method:' or adding !method to the URL. The test project is based on this:
https://github.com/lukaszlenart/struts2-convention.git
Things that I changed:
- added a member 'String text' to HelloAction, along with getter/setter
- added a method 'doSave' to HelloAction, which also uses SUCCESS result
but adds an ActionMessage
- added textfield 'name=text' to hello.jsp
- added button to hello.jsp and played with different action="" and
method="" attributes
For example <s:submit method="doSave" /> does what expected (invokes
HelloAction.doSave()).
But <s:submit action="hello!doSave" /> does not (invokes
HelloAction.execute()).
Regards,
Christoph
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-23 8:27 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
>> From: Lukasz Lenart <lu...@apache.org>
>> To: Struts Developers List <de...@struts.apache.org>,
>> Date: 23.09.2015 08:20
>> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>>
>> 2015-09-22 14:05 GMT+02:00 Christoph Nenning
> <Ch...@lex-com.net>:
>> > <s:hidden name="method:getBean().key" value="login" />
>>
>> Ok, but this is something that you as a developer did, so you did that
>> on purpose, you had a special requirement so it's up to you to
>> configure Struts to allow such action name. But maybe I am wrong and
>> this is ok, that the such method was blocked?
>
> I wanted this to be blocked. It was my test that blocking
> non-allowed-methdos really works ;)
Ach! So I assume it's ok :)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> From: Lukasz Lenart <lu...@apache.org>
> To: Struts Developers List <de...@struts.apache.org>,
> Date: 23.09.2015 08:20
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> 2015-09-22 14:05 GMT+02:00 Christoph Nenning
<Ch...@lex-com.net>:
> > <s:hidden name="method:getBean().key" value="login" />
>
> Ok, but this is something that you as a developer did, so you did that
> on purpose, you had a special requirement so it's up to you to
> configure Struts to allow such action name. But maybe I am wrong and
> this is ok, that the such method was blocked?
>
>
I wanted this to be blocked. It was my test that blocking
non-allowed-methdos really works ;)
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-23 15:46 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> I was wondering why the method was not blocked in Greg's sample. I tried
> to reproduce his case based on Łukasz' sample app. But no luck.
>
> With <s:submit action="" /> the framework never invoked the action
> specified there. It was always the form-action and it's execute() method.
You must enable DMI
<constant name="struts.enable.DynamicMethodInvocation" value="true"/>
https://struts.apache.org/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> >> From: Greg Huber <gr...@gmail.com>
> >> To: Struts Developers List <de...@struts.apache.org>,
> >> Date: 17.09.2015 09:37
> >> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> >>
> >> I was testing using:
> >>
> >> <s:submit value="%{getText('button.save')}"
action="edit!getBean().name"
> > />
> >>
> >> and it returned the value in the name field on the bean.
> >
> > I don't know how <s:submit action="..." /> is implemented but I guess
it
> > does not use the DMI code path and hence is not secured by strict DMI.
It
> > surely would make sense to apply the newly configured allowed-methods
to
> > other code paths as well. How many code paths do we have?
>
> It's a tag so it's internal staff which can be used by developer to
> fulfil his special requirements. And this "action" attribute as any
> other is evaluated against a ValueStack, so it's very hard to predict
> what was the developer's intention. Please remember that tags are used
> to generate HTML, not to control framework's behaviour. And this piece
> of code will be returned to a browser and after user submits it back
> this will be governed by Strict DMI.
>
> Also when you want to use DMI here you should use "method" attribute:
> <s:submit value="%{getText('button.save')}" action="edit"
> method="getBean().name"/>
>
>
I was wondering why the method was not blocked in Greg's sample. I tried
to reproduce his case based on Łukasz' sample app. But no luck.
With <s:submit action="" /> the framework never invoked the action
specified there. It was always the form-action and it's execute() method.
Regards,
Christoph
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-22 14:16 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
>> From: Greg Huber <gr...@gmail.com>
>> To: Struts Developers List <de...@struts.apache.org>,
>> Date: 17.09.2015 09:37
>> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>>
>> I was testing using:
>>
>> <s:submit value="%{getText('button.save')}" action="edit!getBean().name"
> />
>>
>> and it returned the value in the name field on the bean.
>
> I don't know how <s:submit action="..." /> is implemented but I guess it
> does not use the DMI code path and hence is not secured by strict DMI. It
> surely would make sense to apply the newly configured allowed-methods to
> other code paths as well. How many code paths do we have?
It's a tag so it's internal staff which can be used by developer to
fulfil his special requirements. And this "action" attribute as any
other is evaluated against a ValueStack, so it's very hard to predict
what was the developer's intention. Please remember that tags are used
to generate HTML, not to control framework's behaviour. And this piece
of code will be returned to a browser and after user submits it back
this will be governed by Strict DMI.
Also when you want to use DMI here you should use "method" attribute:
<s:submit value="%{getText('button.save')}" action="edit"
method="getBean().name"/>
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> From: Greg Huber <gr...@gmail.com>
> To: Struts Developers List <de...@struts.apache.org>,
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I was testing using:
>
> <s:submit value="%{getText('button.save')}" action="edit!getBean().name"
/>
>
> and it returned the value in the name field on the bean.
>
I don't know how <s:submit action="..." /> is implemented but I guess it
does not use the DMI code path and hence is not secured by strict DMI. It
surely would make sense to apply the newly configured allowed-methods to
other code paths as well. How many code paths do we have?
Regards,
Christoph
> public class EventEdit extends EventBase {
> ....
> private EventBean bean = null;
> ....
> /**
> * Gets the bean.
> *
> * @return the bean
> */
> public EventBean getBean() {
> return bean;
> }
> ....
> }
>
> I though this was what we were trying to stop?
>
>
> On 17 September 2015 at 08:27, Lukasz Lenart <lu...@apache.org>
> wrote:
>
> > 2015-09-17 9:11 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > > For my form bean, getBean().getName();
> > >
> > >
> > > edit!getBean().getName
> > >
> > >
> > > For me it shows an exception with the bean Name field value, would a
> > > combination of all public methods in the package and then on
sensitive
> > > actions like login/payments etc use the action to restrict to
allowed
> > > methods only?
> > >
> > > [
> > >
> > > edit!getBean().getName() ==
> > >
> > > 1. Encountered " ")" ") "" at line 1, column 21. Was expecting
one of:
> > > ":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true"
...
> > > "false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ...
"{"
> > ... "@"
> > > ... "new" ... <IDENT> ... <DYNAMIC_SUBSCRIPT> ... "\'" ... "`"
...
> > "\"" ...
> > > <INT_LITERAL> ... <FLT_LITERAL> ...
> > > 2. Malformed OGNL expression: getBean().getName()()
> > >
> > > edit!getBean().name ==
> > >
> > > *java.lang.NoSuchMethodException*
> > >
> > > Block set..() and get..()?
> > >
> > > ]
> >
> > Not sure what do you mean by that but DMI works only with top level
> > functions that returns a String, ie. edit!toString
> > It won't work with beans.
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-22 14:05 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> <s:hidden name="method:getBean().key" value="login" />
Ok, but this is something that you as a developer did, so you did that
on purpose, you had a special requirement so it's up to you to
configure Struts to allow such action name. But maybe I am wrong and
this is ok, that the such method was blocked?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> From: Greg Huber <gr...@gmail.com>
> To: Struts Developers List <de...@struts.apache.org>,
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I was testing using:
>
> <s:submit value="%{getText('button.save')}" action="edit!getBean().name"
/>
>
> and it returned the value in the name field on the bean.
>
I tested with:
<s:hidden name="method:getBean().key" value="login" />
And that was blocked with this exception:
com.opensymphony.xwork2.config.ConfigurationException: This method:
getBean().key for action login is not allowed!
at com.opensymphony.xwork2.DefaultActionProxy.prepare(
DefaultActionProxy.java:200) ~[struts2-core-2.5-SNAPSHOT.jar:2.5-SNAPSHOT]
at org.apache.struts2.factory.StrutsActionProxy.prepare(
StrutsActionProxy.java:63) ~[struts2-core-2.5-SNAPSHOT.jar:2.5-SNAPSHOT]
at
org.apache.struts2.factory.StrutsActionProxyFactory.createActionProxy(
StrutsActionProxyFactory.java:37)
~[struts2-core-2.5-SNAPSHOT.jar:2.5-SNAPSHOT]
.....
Regards,
Christoph
> public class EventEdit extends EventBase {
> ....
> private EventBean bean = null;
> ....
> /**
> * Gets the bean.
> *
> * @return the bean
> */
> public EventBean getBean() {
> return bean;
> }
> ....
> }
>
> I though this was what we were trying to stop?
>
>
> On 17 September 2015 at 08:27, Lukasz Lenart <lu...@apache.org>
> wrote:
>
> > 2015-09-17 9:11 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > > For my form bean, getBean().getName();
> > >
> > >
> > > edit!getBean().getName
> > >
> > >
> > > For me it shows an exception with the bean Name field value, would a
> > > combination of all public methods in the package and then on
sensitive
> > > actions like login/payments etc use the action to restrict to
allowed
> > > methods only?
> > >
> > > [
> > >
> > > edit!getBean().getName() ==
> > >
> > > 1. Encountered " ")" ") "" at line 1, column 21. Was expecting
one of:
> > > ":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true"
...
> > > "false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ...
"{"
> > ... "@"
> > > ... "new" ... <IDENT> ... <DYNAMIC_SUBSCRIPT> ... "\'" ... "`"
...
> > "\"" ...
> > > <INT_LITERAL> ... <FLT_LITERAL> ...
> > > 2. Malformed OGNL expression: getBean().getName()()
> > >
> > > edit!getBean().name ==
> > >
> > > *java.lang.NoSuchMethodException*
> > >
> > > Block set..() and get..()?
> > >
> > > ]
> >
> > Not sure what do you mean by that but DMI works only with top level
> > functions that returns a String, ie. edit!toString
> > It won't work with beans.
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-17 9:37 GMT+02:00 Greg Huber <gr...@gmail.com>:
> I was testing using:
>
> <s:submit value="%{getText('button.save')}" action="edit!getBean().name" />
>
> and it returned the value in the name field on the bean.
>
> public class EventEdit extends EventBase {
> ....
> private EventBean bean = null;
> ....
> /**
> * Gets the bean.
> *
> * @return the bean
> */
> public EventBean getBean() {
> return bean;
> }
> ....
> }
>
> I though this was what we were trying to stop?
but this is something different, it happens on server side in tags,
it's your choice as a dev. Without Strict DMI, when DMI is enabled it
is possible to call any public method via bang operator "!" via url
like this:
http://localhost:8080/index!getPassword
and as a lot of people is still using this mechanism we want help them
be more secure :)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
I was testing using:
<s:submit value="%{getText('button.save')}" action="edit!getBean().name" />
and it returned the value in the name field on the bean.
public class EventEdit extends EventBase {
....
private EventBean bean = null;
....
/**
* Gets the bean.
*
* @return the bean
*/
public EventBean getBean() {
return bean;
}
....
}
I though this was what we were trying to stop?
On 17 September 2015 at 08:27, Lukasz Lenart <lu...@apache.org>
wrote:
> 2015-09-17 9:11 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > For my form bean, getBean().getName();
> >
> >
> > edit!getBean().getName
> >
> >
> > For me it shows an exception with the bean Name field value, would a
> > combination of all public methods in the package and then on sensitive
> > actions like login/payments etc use the action to restrict to allowed
> > methods only?
> >
> > [
> >
> > edit!getBean().getName() ==
> >
> > 1. Encountered " ")" ") "" at line 1, column 21. Was expecting one of:
> > ":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true" ...
> > "false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ... "{"
> ... "@"
> > ... "new" ... <IDENT> ... <DYNAMIC_SUBSCRIPT> ... "\'" ... "`" ...
> "\"" ...
> > <INT_LITERAL> ... <FLT_LITERAL> ...
> > 2. Malformed OGNL expression: getBean().getName()()
> >
> > edit!getBean().name ==
> >
> > *java.lang.NoSuchMethodException*
> >
> > Block set..() and get..()?
> >
> > ]
>
> Not sure what do you mean by that but DMI works only with top level
> functions that returns a String, ie. edit!toString
> It won't work with beans.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-17 9:11 GMT+02:00 Greg Huber <gr...@gmail.com>:
> For my form bean, getBean().getName();
>
>
> edit!getBean().getName
>
>
> For me it shows an exception with the bean Name field value, would a
> combination of all public methods in the package and then on sensitive
> actions like login/payments etc use the action to restrict to allowed
> methods only?
>
> [
>
> edit!getBean().getName() ==
>
> 1. Encountered " ")" ") "" at line 1, column 21. Was expecting one of:
> ":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true" ...
> "false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ... "{" ... "@"
> ... "new" ... <IDENT> ... <DYNAMIC_SUBSCRIPT> ... "\'" ... "`" ... "\"" ...
> <INT_LITERAL> ... <FLT_LITERAL> ...
> 2. Malformed OGNL expression: getBean().getName()()
>
> edit!getBean().name ==
>
> *java.lang.NoSuchMethodException*
>
> Block set..() and get..()?
>
> ]
Not sure what do you mean by that but DMI works only with top level
functions that returns a String, ie. edit!toString
It won't work with beans.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
For my form bean, getBean().getName();
edit!getBean().getName
For me it shows an exception with the bean Name field value, would a
combination of all public methods in the package and then on sensitive
actions like login/payments etc use the action to restrict to allowed
methods only?
[
edit!getBean().getName() ==
1. Encountered " ")" ") "" at line 1, column 21. Was expecting one of:
":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true" ...
"false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ... "{" ... "@"
... "new" ... <IDENT> ... <DYNAMIC_SUBSCRIPT> ... "\'" ... "`" ... "\"" ...
<INT_LITERAL> ... <FLT_LITERAL> ...
2. Malformed OGNL expression: getBean().getName()()
edit!getBean().name ==
*java.lang.NoSuchMethodException*
Block set..() and get..()?
]
On 16 September 2015 at 08:32, Lukasz Lenart <lu...@apache.org>
wrote:
> 2015-09-16 9:12 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > Hm, getAString(), would it return anything? I will do a check to see
> what
> > happens.
>
> It will return a String which is then interpreted as a result name but
> if you are in devMode you will get the developer notification that the
> such result doesn't exist and you will see the String.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-16 9:12 GMT+02:00 Greg Huber <gr...@gmail.com>:
> Hm, getAString(), would it return anything? I will do a check to see what
> happens.
It will return a String which is then interpreted as a result name but
if you are in devMode you will get the developer notification that the
such result doesn't exist and you will see the String.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
Hm, getAString(), would it return anything? I will do a check to see what
happens.
On 16 September 2015 at 07:56, Lukasz Lenart <lu...@apache.org>
wrote:
> 2015-09-16 8:51 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > Restricting to public methods on the action class/package would be more
> > useful, may be less of an overhead? It would be inherited methods that
> > could potentially cause the issues.
>
> Yes, I am planning something like that but it's something different
> than Strict DMI. Also your solution allows access to getteers ie.
> some.action!getPassword
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-16 8:51 GMT+02:00 Greg Huber <gr...@gmail.com>:
> Restricting to public methods on the action class/package would be more
> useful, may be less of an overhead? It would be inherited methods that
> could potentially cause the issues.
Yes, I am planning something like that but it's something different
than Strict DMI. Also your solution allows access to getteers ie.
some.action!getPassword
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
Restricting to public methods on the action class/package would be more
useful, may be less of an overhead? It would be inherited methods that
could potentially cause the issues.
On 15 September 2015 at 08:11, Lukasz Lenart <lu...@apache.org>
wrote:
> I have extended the list of default 'global-allowed-methods' but I am
> wondering if support for 'package-allowed-methods' is needed?
> 'global-allowed-methods' are inherited from package to package where
> 'package-allowed-methods' wouldn't be. WDYT?
>
> This can always be added later.
>
> 2015-09-04 12:25 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> > I have updated PR description with more detailed info
> > https://github.com/apache/struts/pull/47
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> From: Lukasz Lenart <lu...@apache.org>
> To: Struts Developers List <de...@struts.apache.org>,
> Date: 15.09.2015 09:11
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I have extended the list of default 'global-allowed-methods' but I am
> wondering if support for 'package-allowed-methods' is needed?
> 'global-allowed-methods' are inherited from package to package where
> 'package-allowed-methods' wouldn't be. WDYT?
>
> This can always be added later.
>
I don't think we need support for 'package-allowed-methods'. It would be
nice but I don't see a real benefit. Just more maintance work.
And yes, if users request it it can be added.
Regards,
Christoph
> 2015-09-04 12:25 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> > I have updated PR description with more detailed info
> > https://github.com/apache/struts/pull/47
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
I have extended the list of default 'global-allowed-methods' but I am
wondering if support for 'package-allowed-methods' is needed?
'global-allowed-methods' are inherited from package to package where
'package-allowed-methods' wouldn't be. WDYT?
This can always be added later.
2015-09-04 12:25 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> I have updated PR description with more detailed info
> https://github.com/apache/struts/pull/47
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-28 13:11 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
>> > What does the current implementation do?
>> > if strictDMI is set to false it returns false.
>> > if it is set to true parent packages are checked. if it is true in one
>> > parent true is returned.
>> > otherwise true is returned in anycase.
>> >
>> > IMHO it can be just a simple getter.
>>
>> You are right :) But I have some doubts, what if someone has a large
>> application with multiple packages? Right now it will have to disable
>> Stritc DMI in each one, Strict DMI isn't inhertited so it can be done
>> in parent package (his own, not from Struts). But from other side we
>> want to have SMI* is enabled by default.
>>
>
>
> That means if SMI is false it could mean 2 things:
> - was explicitly set to false
> - was not set and parent package should be checked
>
> If it is true it was explicitly configured and parent packages don't need
> to be checked.
If it was not set, the assumption is to use the default value which is "true"
> I would turn it into a Boolean that can be null. So it is more clear what
> the state in xml is and whether it is necessary to check parent packages.
I thought about the same ...
>> * SMI -> Stritc Method Invocation - it comes to me that DMI is
>> something different than SMI so we should use different abbrevation.
>> SMI works independly from DMI, SMI performs checks inside application
>> (tax police), and DMI does the same but on user input (border police).
>
> That means when methods are configured as own actions they must be
> additionally configured as allowed-methods?
Nope, methods configured as actions (used with "method" attribute or
marked as @Action) are automatically added as allowed-methods
>> If there be no objections I would like to merge this PR and
>> push a new BETA today
>
> +1
>
> More changes can be made in master ;)
> And we might get feedback if users have issues with SMI.
Thanks for review and all you comments!
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> > Well, I don't think it is necessary to check parent packages at all.
> > Because strictDMI is a primitive boolean and cannot be null. So each
> > package has it explicitly configured, inheriting it is not required.
> > PackageConfig.isStrictMethodInvocation() should just return that
value.
>
> Not exactly, as Boolean.parseBoolean will return "false" if there was
> null and null means there is no "strict-method-invocation" attribute
> configured. That's why I have changed the logic to treat missing
> "strict-method-invocation" attribute as "true" and evaluate parent
> packages.
>
Ah, I was not aware of that.
> > What does the current implementation do?
> > if strictDMI is set to false it returns false.
> > if it is set to true parent packages are checked. if it is true in one
> > parent true is returned.
> > otherwise true is returned in anycase.
> >
> > IMHO it can be just a simple getter.
>
> You are right :) But I have some doubts, what if someone has a large
> application with multiple packages? Right now it will have to disable
> Stritc DMI in each one, Strict DMI isn't inhertited so it can be done
> in parent package (his own, not from Struts). But from other side we
> want to have SMI* is enabled by default.
>
That means if SMI is false it could mean 2 things:
- was explicitly set to false
- was not set and parent package should be checked
If it is true it was explicitly configured and parent packages don't need
to be checked.
I would turn it into a Boolean that can be null. So it is more clear what
the state in xml is and whether it is necessary to check parent packages.
> * SMI -> Stritc Method Invocation - it comes to me that DMI is
> something different than SMI so we should use different abbrevation.
> SMI works independly from DMI, SMI performs checks inside application
> (tax police), and DMI does the same but on user input (border police).
>
>
That means when methods are configured as own actions they must be
additionally configured as allowed-methods?
> If there be no objections I would like to merge this PR and
> push a new BETA today
+1
More changes can be made in master ;)
And we might get feedback if users have issues with SMI.
Regards,
Christoph
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Johannes Geppert <jo...@apache.org>.
+1
Johannes
#################################################
web: http://www.jgeppert.com
twitter: http://twitter.com/jogep
2015-09-28 9:50 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> If there be no objections I would like to merge this PR and push a new
> BETA today
>
> 2015-09-26 9:57 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> > 2015-09-25 16:04 GMT+02:00 Christoph Nenning <
> Christoph.Nenning@lex-com.net>:
> >> Well, I don't think it is necessary to check parent packages at all.
> >> Because strictDMI is a primitive boolean and cannot be null. So each
> >> package has it explicitly configured, inheriting it is not required.
> >> PackageConfig.isStrictMethodInvocation() should just return that value.
> >
> > Not exactly, as Boolean.parseBoolean will return "false" if there was
> > null and null means there is no "strict-method-invocation" attribute
> > configured. That's why I have changed the logic to treat missing
> > "strict-method-invocation" attribute as "true" and evaluate parent
> > packages.
> >
> >> What does the current implementation do?
> >> if strictDMI is set to false it returns false.
> >> if it is set to true parent packages are checked. if it is true in one
> >> parent true is returned.
> >> otherwise true is returned in anycase.
> >>
> >> IMHO it can be just a simple getter.
> >
> > You are right :) But I have some doubts, what if someone has a large
> > application with multiple packages? Right now it will have to disable
> > Stritc DMI in each one, Strict DMI isn't inhertited so it can be done
> > in parent package (his own, not from Struts). But from other side we
> > want to have SMI* is enabled by default.
> >
> > * SMI -> Stritc Method Invocation - it comes to me that DMI is
> > something different than SMI so we should use different abbrevation.
> > SMI works independly from DMI, SMI performs checks inside application
> > (tax police), and DMI does the same but on user input (border police).
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
If there be no objections I would like to merge this PR and push a new
BETA today
2015-09-26 9:57 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> 2015-09-25 16:04 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
>> Well, I don't think it is necessary to check parent packages at all.
>> Because strictDMI is a primitive boolean and cannot be null. So each
>> package has it explicitly configured, inheriting it is not required.
>> PackageConfig.isStrictMethodInvocation() should just return that value.
>
> Not exactly, as Boolean.parseBoolean will return "false" if there was
> null and null means there is no "strict-method-invocation" attribute
> configured. That's why I have changed the logic to treat missing
> "strict-method-invocation" attribute as "true" and evaluate parent
> packages.
>
>> What does the current implementation do?
>> if strictDMI is set to false it returns false.
>> if it is set to true parent packages are checked. if it is true in one
>> parent true is returned.
>> otherwise true is returned in anycase.
>>
>> IMHO it can be just a simple getter.
>
> You are right :) But I have some doubts, what if someone has a large
> application with multiple packages? Right now it will have to disable
> Stritc DMI in each one, Strict DMI isn't inhertited so it can be done
> in parent package (his own, not from Struts). But from other side we
> want to have SMI* is enabled by default.
>
> * SMI -> Stritc Method Invocation - it comes to me that DMI is
> something different than SMI so we should use different abbrevation.
> SMI works independly from DMI, SMI performs checks inside application
> (tax police), and DMI does the same but on user input (border police).
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-25 16:04 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> Well, I don't think it is necessary to check parent packages at all.
> Because strictDMI is a primitive boolean and cannot be null. So each
> package has it explicitly configured, inheriting it is not required.
> PackageConfig.isStrictMethodInvocation() should just return that value.
Not exactly, as Boolean.parseBoolean will return "false" if there was
null and null means there is no "strict-method-invocation" attribute
configured. That's why I have changed the logic to treat missing
"strict-method-invocation" attribute as "true" and evaluate parent
packages.
> What does the current implementation do?
> if strictDMI is set to false it returns false.
> if it is set to true parent packages are checked. if it is true in one
> parent true is returned.
> otherwise true is returned in anycase.
>
> IMHO it can be just a simple getter.
You are right :) But I have some doubts, what if someone has a large
application with multiple packages? Right now it will have to disable
Stritc DMI in each one, Strict DMI isn't inhertited so it can be done
in parent package (his own, not from Struts). But from other side we
want to have SMI* is enabled by default.
* SMI -> Stritc Method Invocation - it comes to me that DMI is
something different than SMI so we should use different abbrevation.
SMI works independly from DMI, SMI performs checks inside application
(tax police), and DMI does the same but on user input (border police).
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> > But actually it currently does not behave as I would expect it. Due to
> > PackageConfig.isStrictMethodInvocation(). It checks parent packages
first
> > which are usually preconfigured packages from s2 jars. If an
application
> > package wants do disable strict-DMI it cannot extend a framework
package.
>
> Ok, found a gut solution! Now Strict DMI is enabled by default but it
> can be simple disabled by setting the attribute to false.
>
> https://github.com/lukaszlenart/struts/commit/
>
86afcbe611f7c3afda26e396cc4504d3c9998398#diff-655da7abe6e0dfac1f56124ac21adb5dR608
>
>
Well, I don't think it is necessary to check parent packages at all.
Because strictDMI is a primitive boolean and cannot be null. So each
package has it explicitly configured, inheriting it is not required.
PackageConfig.isStrictMethodInvocation() should just return that value.
What does the current implementation do?
if strictDMI is set to false it returns false.
if it is set to true parent packages are checked. if it is true in one
parent true is returned.
otherwise true is returned in anycase.
IMHO it can be just a simple getter.
Regards,
Christoph
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-23 16:22 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> But actually it currently does not behave as I would expect it. Due to
> PackageConfig.isStrictMethodInvocation(). It checks parent packages first
> which are usually preconfigured packages from s2 jars. If an application
> package wants do disable strict-DMI it cannot extend a framework package.
Ok, found a gut solution! Now Strict DMI is enabled by default but it
can be simple disabled by setting the attribute to false.
https://github.com/lukaszlenart/struts/commit/86afcbe611f7c3afda26e396cc4504d3c9998398#diff-655da7abe6e0dfac1f56124ac21adb5dR608
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> >> There is just one issue left: Setting
strict-method-invocation="false"
> >> affects only actions configured in XML. When PackageConfig is created
by
> >> XmlConfigurationProvider that field is set but
> >> PackageBasedActionConfigBuilder from convention-plugin does not set
it.
> >>
> >> There could be 2 ways to solve this:
> >> - provide another package-level annotation @StrictMethodInvocation.
> >> - PackageBasedActionConfigBuilder could read existing PackageConfig
to
> >> figure out if it was set in xml.
> >
> > Thanks, I will try to figure out if it is possible
>
> Done, disabling Strict DMI affects also Convention plugin
>
> https://github.com/lukaszlenart/struts/commit/
> b8381057190c3abebbc3a65c404fd5de5f2c6c52
>
>
Wow, did not expect that I could be done with just such a small if.
But actually it currently does not behave as I would expect it. Due to
PackageConfig.isStrictMethodInvocation(). It checks parent packages first
which are usually preconfigured packages from s2 jars. If an application
package wants do disable strict-DMI it cannot extend a framework package.
Regards,
Christoph
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-23 8:17 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
>> There is just one issue left: Setting strict-method-invocation="false"
>> affects only actions configured in XML. When PackageConfig is created by
>> XmlConfigurationProvider that field is set but
>> PackageBasedActionConfigBuilder from convention-plugin does not set it.
>>
>> There could be 2 ways to solve this:
>> - provide another package-level annotation @StrictMethodInvocation.
>> - PackageBasedActionConfigBuilder could read existing PackageConfig to
>> figure out if it was set in xml.
>
> Thanks, I will try to figure out if it is possible
Done, disabling Strict DMI affects also Convention plugin
https://github.com/lukaszlenart/struts/commit/b8381057190c3abebbc3a65c404fd5de5f2c6c52
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-22 13:52 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> OK, got it working. The issue was that I had different version of s2 jars
> at runtime. I should learn to use my tools properly ;)
Great!
> @AllowedMethods does what I want it to do, thanks Łukasz!
My pleasure :)
> There is just one issue left: Setting strict-method-invocation="false"
> affects only actions configured in XML. When PackageConfig is created by
> XmlConfigurationProvider that field is set but
> PackageBasedActionConfigBuilder from convention-plugin does not set it.
>
> There could be 2 ways to solve this:
> - provide another package-level annotation @StrictMethodInvocation.
> - PackageBasedActionConfigBuilder could read existing PackageConfig to
> figure out if it was set in xml.
Thanks, I will try to figure out if it is possible
> I know I said just a few weeks ago that I would provide that flag. But
> seeing the current situation I would be OK to drop it. That would force
> users to be more secure :)
> But as there is global-allowed-methods people can be lazy.
We can always drop this flag with next major release (2.6 or 3.0)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> From: Lukasz Lenart <lu...@apache.org>
> To: Struts Developers List <de...@struts.apache.org>,
> Date: 17.09.2015 08:25
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> Great, thanks for testing it!
>
> 2015-09-16 16:26 GMT+02:00 Christoph Nenning
<Ch...@lex-com.net>:
> > Finally I had some time to play with strict DMI again. Here some
findings
> > and thoughts:
> >
> >
> > - I realized that in current master branch strict DMI has no effect
when
> > actions are not configured in xml. I thought that would lead to no
methods
> > being allowed.
> >
> > - In strict-DMI branch it is same behavior. So I could not get the new
> > annotation @AllowedMethods to have an effect.
> >
> > - When action is configured in xml without <allowed-methods> and
annotated
> > with @AllowedMethods there is just execute() available.
> >
> > - I could not find docs in wiki about the mechanism to invoke a method
> > with a parameter name like "methd:<method-name>". But the feature got
> > disabled along with DMI. So I think there should be info added to this
> > page: http://struts.apache.org/docs/action-configuration.html
> >
> >
> >
> > Sample for first point (strict DMI has no effect with convention
plugin)
> >
> >
> > struts.xml:
> >
> > <package name="hello-pkg" namespace="/" extends="default"
> > strict-method-invocation="true">
> >
> > <!-- no action -->
> >
> > </package>
> > <constant name="struts.convention.default.parent.package" value=
> > "hello-pkg" />
> >
> >
> >
> > Action:
> >
> > @Action("hello")
> > public class HelloAction extends ActionSupport {
> >
> > // all methods can be invoked -> strict DMI has no effect
> > // I would rather expect that just execute() is allowed in this case
> > // and that more methods can be allowed with @AllowedMethods
> >
> > }
>
> It is only useful when DMI is enabled - some of the users still using
> it. Also did you switch to DTD definition to 2.5?
>
> <constant name="struts.enable.DynamicMethodInvocation" value="true"/>
>
> then you can call url like this one: index.action!secure
>
> I have prepared a small demo app
> https://github.com/lukaszlenart/struts2-convention
>
>
OK, got it working. The issue was that I had different version of s2 jars
at runtime. I should learn to use my tools properly ;)
@AllowedMethods does what I want it to do, thanks Łukasz!
There is just one issue left: Setting strict-method-invocation="false"
affects only actions configured in XML. When PackageConfig is created by
XmlConfigurationProvider that field is set but
PackageBasedActionConfigBuilder from convention-plugin does not set it.
There could be 2 ways to solve this:
- provide another package-level annotation @StrictMethodInvocation.
- PackageBasedActionConfigBuilder could read existing PackageConfig to
figure out if it was set in xml.
I know I said just a few weeks ago that I would provide that flag. But
seeing the current situation I would be OK to drop it. That would force
users to be more secure :)
But as there is global-allowed-methods people can be lazy.
Regards,
Christoph
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
Great, thanks for testing it!
2015-09-16 16:26 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> Finally I had some time to play with strict DMI again. Here some findings
> and thoughts:
>
>
> - I realized that in current master branch strict DMI has no effect when
> actions are not configured in xml. I thought that would lead to no methods
> being allowed.
>
> - In strict-DMI branch it is same behavior. So I could not get the new
> annotation @AllowedMethods to have an effect.
>
> - When action is configured in xml without <allowed-methods> and annotated
> with @AllowedMethods there is just execute() available.
>
> - I could not find docs in wiki about the mechanism to invoke a method
> with a parameter name like "methd:<method-name>". But the feature got
> disabled along with DMI. So I think there should be info added to this
> page: http://struts.apache.org/docs/action-configuration.html
>
>
>
> Sample for first point (strict DMI has no effect with convention plugin)
>
>
> struts.xml:
>
> <package name="hello-pkg" namespace="/" extends="default"
> strict-method-invocation="true">
>
> <!-- no action -->
>
> </package>
> <constant name="struts.convention.default.parent.package" value=
> "hello-pkg" />
>
>
>
> Action:
>
> @Action("hello")
> public class HelloAction extends ActionSupport {
>
> // all methods can be invoked -> strict DMI has no effect
> // I would rather expect that just execute() is allowed in this case
> // and that more methods can be allowed with @AllowedMethods
>
> }
It is only useful when DMI is enabled - some of the users still using
it. Also did you switch to DTD definition to 2.5?
<constant name="struts.enable.DynamicMethodInvocation" value="true"/>
then you can call url like this one: index.action!secure
I have prepared a small demo app
https://github.com/lukaszlenart/struts2-convention
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
Finally I had some time to play with strict DMI again. Here some findings
and thoughts:
- I realized that in current master branch strict DMI has no effect when
actions are not configured in xml. I thought that would lead to no methods
being allowed.
- In strict-DMI branch it is same behavior. So I could not get the new
annotation @AllowedMethods to have an effect.
- When action is configured in xml without <allowed-methods> and annotated
with @AllowedMethods there is just execute() available.
- I could not find docs in wiki about the mechanism to invoke a method
with a parameter name like "methd:<method-name>". But the feature got
disabled along with DMI. So I think there should be info added to this
page: http://struts.apache.org/docs/action-configuration.html
Sample for first point (strict DMI has no effect with convention plugin)
struts.xml:
<package name="hello-pkg" namespace="/" extends="default"
strict-method-invocation="true">
<!-- no action -->
</package>
<constant name="struts.convention.default.parent.package" value=
"hello-pkg" />
Action:
@Action("hello")
public class HelloAction extends ActionSupport {
// all methods can be invoked -> strict DMI has no effect
// I would rather expect that just execute() is allowed in this case
// and that more methods can be allowed with @AllowedMethods
}
Regards,
Christoph
> From: Lukasz Lenart <lu...@apache.org>
> To: Struts Developers List <de...@struts.apache.org>,
> Date: 04.09.2015 12:18
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> Added `strict-method-invocation` attribute back to allow disable the
> Strict DMI mode. Also improved a bit how Strict DMI logic works, right
> now it's as follow:
> - <allowed-methods> / @AllowedMethods defined per action - Strict DMI
> works without switching it on but just for those actions (plus adding
> <global-allowed-methods/>)
> - Strict DMI enabled but no <allowed-methods> / @AllowedMethods are
> defined - Strict DMI works but only with <global-allowed-methods/>
> - Strict DMI disabled - call to any action method is allowed (Regex: .*)
>
> Besides the above, each method defined in <action/>'s "method"
> attribute is automatically allowed, the same for method marked with
> @Action annotation.
>
> Also added support to allow define allowed methods with regex, just
> use "regex:" prefix, ie.
> <global-allowed-methods>execute,input,cancel,regex:user([A-Z]*)</
> global-allowed-methods>
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> PS. docs will be updated as soone we get consensus on this PR
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
I have updated PR description with more detailed info
https://github.com/apache/struts/pull/47
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
Added `strict-method-invocation` attribute back to allow disable the
Strict DMI mode. Also improved a bit how Strict DMI logic works, right
now it's as follow:
- <allowed-methods> / @AllowedMethods defined per action - Strict DMI
works without switching it on but just for those actions (plus adding
<global-allowed-methods/>)
- Strict DMI enabled but no <allowed-methods> / @AllowedMethods are
defined - Strict DMI works but only with <global-allowed-methods/>
- Strict DMI disabled - call to any action method is allowed (Regex: .*)
Besides the above, each method defined in <action/>'s "method"
attribute is automatically allowed, the same for method marked with
@Action annotation.
Also added support to allow define allowed methods with regex, just
use "regex:" prefix, ie.
<global-allowed-methods>execute,input,cancel,regex:user([A-Z]*)</global-allowed-methods>
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
PS. docs will be updated as soone we get consensus on this PR
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
Support to configure <allowed-methods/> via annotation was added. You
can use @AllowedMethods per class or per Java package with
package-info.java, ie:
@org.apache.struts2.convention.annotation.AllowedMethods("home,start")
package org.apache.struts2.convention.actions.allowedmethods;
or
@AllowedMethods("end")
public class ClassLevelAllowedMethodsAction {
public String execute() { return null; }
}
2015-09-01 8:19 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> I have enabled Strict DMI by default, right now configuration via
> struts.xml is supported only but I'm going to add support for
> annotations as well. When it will be done I will push a new BETA
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> 2015-09-01 8:10 GMT+02:00 lukaszlenart <gi...@git.apache.org>:
>> GitHub user lukaszlenart opened a pull request:
>>
>> https://github.com/apache/struts/pull/47
>>
>> WW-4540: Strict DMI
>>
>> This PR enables `Strict DMI` be default (or rather it's always enabled). Thus will limit possible methods which can be called and executed as an action methods.
>>
>> Right now you can configure `global-allowed-methods` and `allowed-methods` via `struts.xml` only but I'm going to add support for annotations as well.
>>
>> To use the new functionality you must update DTD definition to `2.5`
>>
>> You can merge this pull request into a Git repository by running:
>>
>> $ git pull https://github.com/lukaszlenart/struts strict-dmi
>>
>> Alternatively you can review and apply these changes as the patch at:
>>
>> https://github.com/apache/struts/pull/47.patch
>>
>> To close this pull request, make a commit to your master/trunk branch
>> with (at least) the following in the commit message:
>>
>> This closes #47
>>
>> ----
>> commit 065b5b79ae068ab7891a4232a0769290fd21bb17
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:31:59Z
>>
>> Drops wildcard as a valid action method
>>
>> commit ce884e92a15ef601b0e119963d3c521fa68d8bb1
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:33:31Z
>>
>> Defines global-allowed-methods
>>
>> commit fd22e3a16c88ef0528c1e26e0d6bdfdf1c02c755
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:35:16Z
>>
>> Uses global-allowed-methods config para
>>
>> commit 55b8070048cbec0a6e08b1781f81b1bfdb3354f2
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:41:57Z
>>
>> Drops strict DMI
>>
>> commit fb0c4a58507c7fb1af135bb376af5b475f43d7ee
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:42:44Z
>>
>> Drops outdated attribute
>>
>> commit 4565993463f660e9be90b9fe9c3597ce54b58917
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:43:21Z
>>
>> Extends Unknown Handler to allowed check if method is allowed
>>
>> commit c3f4457b8b8ad6bd0e89646d825f2ef5f9f91118
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:43:31Z
>>
>> Fixes tests
>>
>> commit c1928ad06bdfbe245b1ed7d5bfeb07ed9bface37
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T16:36:04Z
>>
>> Fixes tests
>>
>> commit 3b31c428856766389ad6df4ba1edc3d60ecf5e24
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T16:36:29Z
>>
>> Adds support for wildcards
>>
>> commit 185530464b838b3aac9681b5ff5b16401ccef56d
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T16:36:41Z
>>
>> Simplifies implementation
>>
>> commit 47a01eab10d940fdc134cb666d3d2db0280d8ca8
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T18:28:45Z
>>
>> Fixes typo
>>
>> commit 63bb6e30e75facf5382608857494cf971f0378dd
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T19:06:06Z
>>
>> Adds missing comma
>>
>> commit 4c7a7dd6c02457cf006318ed4621b7c432cc478c
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T19:46:16Z
>>
>> Adds null-safety
>>
>> commit 77691563b9b8d2ad01c078a66d1ed207bf3611b3
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T19:46:47Z
>>
>> Implements required method
>>
>> commit dd406fbb04e755c0545c318c3ea099674fb78363
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T19:46:55Z
>>
>> Fixes test
>>
>> ----
>>
>>
>> ---
>> If your project is set up for it, you can reply to this email and have your
>> reply appear on GitHub as well. If your project does not have this feature
>> enabled and wishes so, or if the feature is enabled but not working, please
>> contact infrastructure at infrastructure@apache.org or file a JIRA ticket
>> with INFRA.
>> ---
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
I have enabled Strict DMI by default, right now configuration via
struts.xml is supported only but I'm going to add support for
annotations as well. When it will be done I will push a new BETA
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2015-09-01 8:10 GMT+02:00 lukaszlenart <gi...@git.apache.org>:
> GitHub user lukaszlenart opened a pull request:
>
> https://github.com/apache/struts/pull/47
>
> WW-4540: Strict DMI
>
> This PR enables `Strict DMI` be default (or rather it's always enabled). Thus will limit possible methods which can be called and executed as an action methods.
>
> Right now you can configure `global-allowed-methods` and `allowed-methods` via `struts.xml` only but I'm going to add support for annotations as well.
>
> To use the new functionality you must update DTD definition to `2.5`
>
> You can merge this pull request into a Git repository by running:
>
> $ git pull https://github.com/lukaszlenart/struts strict-dmi
>
> Alternatively you can review and apply these changes as the patch at:
>
> https://github.com/apache/struts/pull/47.patch
>
> To close this pull request, make a commit to your master/trunk branch
> with (at least) the following in the commit message:
>
> This closes #47
>
> ----
> commit 065b5b79ae068ab7891a4232a0769290fd21bb17
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:31:59Z
>
> Drops wildcard as a valid action method
>
> commit ce884e92a15ef601b0e119963d3c521fa68d8bb1
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:33:31Z
>
> Defines global-allowed-methods
>
> commit fd22e3a16c88ef0528c1e26e0d6bdfdf1c02c755
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:35:16Z
>
> Uses global-allowed-methods config para
>
> commit 55b8070048cbec0a6e08b1781f81b1bfdb3354f2
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:41:57Z
>
> Drops strict DMI
>
> commit fb0c4a58507c7fb1af135bb376af5b475f43d7ee
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:42:44Z
>
> Drops outdated attribute
>
> commit 4565993463f660e9be90b9fe9c3597ce54b58917
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:43:21Z
>
> Extends Unknown Handler to allowed check if method is allowed
>
> commit c3f4457b8b8ad6bd0e89646d825f2ef5f9f91118
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:43:31Z
>
> Fixes tests
>
> commit c1928ad06bdfbe245b1ed7d5bfeb07ed9bface37
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T16:36:04Z
>
> Fixes tests
>
> commit 3b31c428856766389ad6df4ba1edc3d60ecf5e24
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T16:36:29Z
>
> Adds support for wildcards
>
> commit 185530464b838b3aac9681b5ff5b16401ccef56d
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T16:36:41Z
>
> Simplifies implementation
>
> commit 47a01eab10d940fdc134cb666d3d2db0280d8ca8
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T18:28:45Z
>
> Fixes typo
>
> commit 63bb6e30e75facf5382608857494cf971f0378dd
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T19:06:06Z
>
> Adds missing comma
>
> commit 4c7a7dd6c02457cf006318ed4621b7c432cc478c
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T19:46:16Z
>
> Adds null-safety
>
> commit 77691563b9b8d2ad01c078a66d1ed207bf3611b3
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T19:46:47Z
>
> Implements required method
>
> commit dd406fbb04e755c0545c318c3ea099674fb78363
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T19:46:55Z
>
> Fixes test
>
> ----
>
>
> ---
> If your project is set up for it, you can reply to this email and have your
> reply appear on GitHub as well. If your project does not have this feature
> enabled and wishes so, or if the feature is enabled but not working, please
> contact infrastructure at infrastructure@apache.org or file a JIRA ticket
> with INFRA.
> ---
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] struts pull request: WW-4540: Strict DMI
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/struts/pull/47
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-03 10:45 GMT+02:00 Greg Huber <gr...@gmail.com>:
> Probably the config to go with....
>
> are there any docs on the
>
> <package/> for the <global-allowed-methods/> ?
Not yet
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
Probably the config to go with....
are there any docs on the
<package/> for the <global-allowed-methods/> ?
Cheers Greg
On 3 September 2015 at 08:21, Lukasz Lenart <lu...@apache.org> wrote:
> 2015-09-03 9:13 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > <allowed-methods/> per <action/> would this be on the action element in
> the
> > struts.xml?
> >
> > Have you an example of the config?
>
> Action level support is already available (for some time)
>
> https://struts.apache.org/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-03 9:13 GMT+02:00 Greg Huber <gr...@gmail.com>:
> <allowed-methods/> per <action/> would this be on the action element in the
> struts.xml?
>
> Have you an example of the config?
Action level support is already available (for some time)
https://struts.apache.org/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
<allowed-methods/> per <action/> would this be on the action element in the
struts.xml?
Have you an example of the config?
On 2 September 2015 at 10:54, Lukasz Lenart <lu...@apache.org> wrote:
> 2015-09-02 10:18 GMT+02:00 Christoph Nenning <
> Christoph.Nenning@lex-com.net>:
> > In my apps I would not need to use any patterns. Just a list of methods,
> > different for each action, would be enough for me.
>
> <global-allowed-methods/> per <package/> or <allowed-methods/> per
> <action/>
>
> > What do you think about a config switch to enable/disable patterns for
> > strict-dmi-method-names ?
>
> Originally there was such switch, disabled by default. I can restore
> it back and set to true by default.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
> > In my apps I would not need to use any patterns. Just a list of
methods,
> > different for each action, would be enough for me.
>
> <global-allowed-methods/> per <package/> or <allowed-methods/> per
<action/>
>
That is great! Still looking forward to annotations, at least for actions
:)
> > What do you think about a config switch to enable/disable patterns for
> > strict-dmi-method-names ?
>
> Originally there was such switch, disabled by default. I can restore
> it back and set to true by default.
>
IMHO that makes sense as this whole thing is about security. And an
explicit whitelist of what is allowed gives highest level of security.
Apps that need patterns can still opt-in to use them.
Regards,
Christoph
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-02 10:18 GMT+02:00 Christoph Nenning <Ch...@lex-com.net>:
> In my apps I would not need to use any patterns. Just a list of methods,
> different for each action, would be enough for me.
<global-allowed-methods/> per <package/> or <allowed-methods/> per <action/>
> What do you think about a config switch to enable/disable patterns for
> strict-dmi-method-names ?
Originally there was such switch, disabled by default. I can restore
it back and set to true by default.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Christoph Nenning <Ch...@lex-com.net>.
In my apps I would not need to use any patterns. Just a list of methods,
different for each action, would be enough for me.
What do you think about a config switch to enable/disable patterns for
strict-dmi-method-names ?
Reagards,
Christoph
> From: Lukasz Lenart <lu...@apache.org>
> To: Struts Developers List <de...@struts.apache.org>,
> Date: 02.09.2015 09:08
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> 2015-09-01 12:41 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > The same way interceptors are configured, something like:
> >
> > <param name="includeMethods">publish*</param>
> >
> > public String publish() {..}
> > public String publishNow() {..}
>
> but maybe instead of such simple definition it'd be better to allow
> specify very strict regex, ie:
>
> <allowed-methods>regex:publish(([A-Z]?)([a-z]+)?)</allowed-methods>
>
> wdyt?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
This Email was scanned by Sophos Anti Virus
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-02 10:01 GMT+02:00 Greg Huber <gr...@gmail.com>:
> Maybe public methods and by package name?
>
> <allowed-packages>mypackage.com</allowed-packages>
> <allowed-methods>regex:(([A-Z]?)([a-z]+)?)</allowed-methods>
It will complicate few other things as evaluation of allowed methods
happens on mapping, very early in processing
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
Maybe public methods and by package name?
<allowed-packages>mypackage.com</allowed-packages>
<allowed-methods>regex:(([A-Z]?)([a-z]+)?)</allowed-methods>
On 2 September 2015 at 08:09, Lukasz Lenart <lu...@apache.org> wrote:
> 2015-09-01 12:41 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > The same way interceptors are configured, something like:
> >
> > <param name="includeMethods">publish*</param>
> >
> > public String publish() {..}
> > public String publishNow() {..}
>
> but maybe instead of such simple definition it'd be better to allow
> specify very strict regex, ie:
>
> <allowed-methods>regex:publish(([A-Z]?)([a-z]+)?)</allowed-methods>
>
> wdyt?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-02 9:55 GMT+02:00 Greg Huber <gr...@gmail.com>:
> Probably a good idea to be strict, but I have lots of methods, only use
> DMI, so it may get to be a very long element.
>
> Maybe I could prefix all my required methods with something, ie with
> allowedPublish() allowedPublishNow() etc
>
> and use :
>
> <allowed-methods>regex:allowed(([A-Z]?)([a-z]+)?)</allowed-methods>
>
>
> I previously added a salt interceptor and went through changing all
> sensitive post methods to be one of the below,
>
> <interceptor-ref name="ActionSaltInterceptor">
> <param name="excludeMethods">*</param>
> <param name="includeMethods">save,delete,publish*,expire</param>
> </interceptor-ref>
>
> but on general methods there are many, and could be alot or work going
> through and updating all the screens etc. (no chaining actions)
>
> public void refresh() {..}
> public String query() {..}
> public String cancel() {..}
> public String cancelClosed() {..}
> public String cancelCurrent() {..}
> public String cancelOpen() {..}
> public String cancelOpenAuction() {..}
I have added <global-allowed-methods/> which can be defined per
<package/> and with regex support it shouldn't be so hard IMO. Also
with regex support you can define very wide regex to match most of the
methods.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
Probably a good idea to be strict, but I have lots of methods, only use
DMI, so it may get to be a very long element.
Maybe I could prefix all my required methods with something, ie with
allowedPublish() allowedPublishNow() etc
and use :
<allowed-methods>regex:allowed(([A-Z]?)([a-z]+)?)</allowed-methods>
I previously added a salt interceptor and went through changing all
sensitive post methods to be one of the below,
<interceptor-ref name="ActionSaltInterceptor">
<param name="excludeMethods">*</param>
<param name="includeMethods">save,delete,publish*,expire</param>
</interceptor-ref>
but on general methods there are many, and could be alot or work going
through and updating all the screens etc. (no chaining actions)
public void refresh() {..}
public String query() {..}
public String cancel() {..}
public String cancelClosed() {..}
public String cancelCurrent() {..}
public String cancelOpen() {..}
public String cancelOpenAuction() {..}
On 2 September 2015 at 08:09, Lukasz Lenart <lu...@apache.org> wrote:
> 2015-09-01 12:41 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > The same way interceptors are configured, something like:
> >
> > <param name="includeMethods">publish*</param>
> >
> > public String publish() {..}
> > public String publishNow() {..}
>
> but maybe instead of such simple definition it'd be better to allow
> specify very strict regex, ie:
>
> <allowed-methods>regex:publish(([A-Z]?)([a-z]+)?)</allowed-methods>
>
> wdyt?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
2015-09-01 12:41 GMT+02:00 Greg Huber <gr...@gmail.com>:
> The same way interceptors are configured, something like:
>
> <param name="includeMethods">publish*</param>
>
> public String publish() {..}
> public String publishNow() {..}
but maybe instead of such simple definition it'd be better to allow
specify very strict regex, ie:
<allowed-methods>regex:publish(([A-Z]?)([a-z]+)?)</allowed-methods>
wdyt?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
The same way interceptors are configured, something like:
<param name="includeMethods">publish*</param>
public String publish() {..}
public String publishNow() {..}
On 1 September 2015 at 11:31, Lukasz Lenart <lu...@apache.org> wrote:
> Right now it supports wildcard mappings actions' definitions [1] - I
> mean when you defined a method like method="do{2}" it's supported. If
> you need anything else please give me an example.
>
> [1] https://struts.apache.org/docs/wildcard-mappings.html
>
> 2015-09-01 12:23 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > Would these be regex style method names?
> >
> > On 1 September 2015 at 07:10, lukaszlenart <gi...@git.apache.org> wrote:
> >
> >> GitHub user lukaszlenart opened a pull request:
> >>
> >> https://github.com/apache/struts/pull/47
> >>
> >> WW-4540: Strict DMI
> >>
> >> This PR enables `Strict DMI` be default (or rather it's always
> >> enabled). Thus will limit possible methods which can be called and
> executed
> >> as an action methods.
> >>
> >> Right now you can configure `global-allowed-methods` and
> >> `allowed-methods` via `struts.xml` only but I'm going to add support for
> >> annotations as well.
> >>
> >> To use the new functionality you must update DTD definition to `2.5`
> >>
> >> You can merge this pull request into a Git repository by running:
> >>
> >> $ git pull https://github.com/lukaszlenart/struts strict-dmi
> >>
> >> Alternatively you can review and apply these changes as the patch at:
> >>
> >> https://github.com/apache/struts/pull/47.patch
> >>
> >> To close this pull request, make a commit to your master/trunk branch
> >> with (at least) the following in the commit message:
> >>
> >> This closes #47
> >>
> >> ----
> >> commit 065b5b79ae068ab7891a4232a0769290fd21bb17
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T12:31:59Z
> >>
> >> Drops wildcard as a valid action method
> >>
> >> commit ce884e92a15ef601b0e119963d3c521fa68d8bb1
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T12:33:31Z
> >>
> >> Defines global-allowed-methods
> >>
> >> commit fd22e3a16c88ef0528c1e26e0d6bdfdf1c02c755
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T12:35:16Z
> >>
> >> Uses global-allowed-methods config para
> >>
> >> commit 55b8070048cbec0a6e08b1781f81b1bfdb3354f2
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T12:41:57Z
> >>
> >> Drops strict DMI
> >>
> >> commit fb0c4a58507c7fb1af135bb376af5b475f43d7ee
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T12:42:44Z
> >>
> >> Drops outdated attribute
> >>
> >> commit 4565993463f660e9be90b9fe9c3597ce54b58917
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T12:43:21Z
> >>
> >> Extends Unknown Handler to allowed check if method is allowed
> >>
> >> commit c3f4457b8b8ad6bd0e89646d825f2ef5f9f91118
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T12:43:31Z
> >>
> >> Fixes tests
> >>
> >> commit c1928ad06bdfbe245b1ed7d5bfeb07ed9bface37
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T16:36:04Z
> >>
> >> Fixes tests
> >>
> >> commit 3b31c428856766389ad6df4ba1edc3d60ecf5e24
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T16:36:29Z
> >>
> >> Adds support for wildcards
> >>
> >> commit 185530464b838b3aac9681b5ff5b16401ccef56d
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T16:36:41Z
> >>
> >> Simplifies implementation
> >>
> >> commit 47a01eab10d940fdc134cb666d3d2db0280d8ca8
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T18:28:45Z
> >>
> >> Fixes typo
> >>
> >> commit 63bb6e30e75facf5382608857494cf971f0378dd
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T19:06:06Z
> >>
> >> Adds missing comma
> >>
> >> commit 4c7a7dd6c02457cf006318ed4621b7c432cc478c
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T19:46:16Z
> >>
> >> Adds null-safety
> >>
> >> commit 77691563b9b8d2ad01c078a66d1ed207bf3611b3
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T19:46:47Z
> >>
> >> Implements required method
> >>
> >> commit dd406fbb04e755c0545c318c3ea099674fb78363
> >> Author: Lukasz Lenart <lu...@apache.org>
> >> Date: 2015-08-31T19:46:55Z
> >>
> >> Fixes test
> >>
> >> ----
> >>
> >>
> >> ---
> >> If your project is set up for it, you can reply to this email and have
> your
> >> reply appear on GitHub as well. If your project does not have this
> feature
> >> enabled and wishes so, or if the feature is enabled but not working,
> please
> >> contact infrastructure at infrastructure@apache.org or file a JIRA
> ticket
> >> with INFRA.
> >> ---
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Lukasz Lenart <lu...@apache.org>.
Right now it supports wildcard mappings actions' definitions [1] - I
mean when you defined a method like method="do{2}" it's supported. If
you need anything else please give me an example.
[1] https://struts.apache.org/docs/wildcard-mappings.html
2015-09-01 12:23 GMT+02:00 Greg Huber <gr...@gmail.com>:
> Would these be regex style method names?
>
> On 1 September 2015 at 07:10, lukaszlenart <gi...@git.apache.org> wrote:
>
>> GitHub user lukaszlenart opened a pull request:
>>
>> https://github.com/apache/struts/pull/47
>>
>> WW-4540: Strict DMI
>>
>> This PR enables `Strict DMI` be default (or rather it's always
>> enabled). Thus will limit possible methods which can be called and executed
>> as an action methods.
>>
>> Right now you can configure `global-allowed-methods` and
>> `allowed-methods` via `struts.xml` only but I'm going to add support for
>> annotations as well.
>>
>> To use the new functionality you must update DTD definition to `2.5`
>>
>> You can merge this pull request into a Git repository by running:
>>
>> $ git pull https://github.com/lukaszlenart/struts strict-dmi
>>
>> Alternatively you can review and apply these changes as the patch at:
>>
>> https://github.com/apache/struts/pull/47.patch
>>
>> To close this pull request, make a commit to your master/trunk branch
>> with (at least) the following in the commit message:
>>
>> This closes #47
>>
>> ----
>> commit 065b5b79ae068ab7891a4232a0769290fd21bb17
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:31:59Z
>>
>> Drops wildcard as a valid action method
>>
>> commit ce884e92a15ef601b0e119963d3c521fa68d8bb1
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:33:31Z
>>
>> Defines global-allowed-methods
>>
>> commit fd22e3a16c88ef0528c1e26e0d6bdfdf1c02c755
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:35:16Z
>>
>> Uses global-allowed-methods config para
>>
>> commit 55b8070048cbec0a6e08b1781f81b1bfdb3354f2
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:41:57Z
>>
>> Drops strict DMI
>>
>> commit fb0c4a58507c7fb1af135bb376af5b475f43d7ee
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:42:44Z
>>
>> Drops outdated attribute
>>
>> commit 4565993463f660e9be90b9fe9c3597ce54b58917
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:43:21Z
>>
>> Extends Unknown Handler to allowed check if method is allowed
>>
>> commit c3f4457b8b8ad6bd0e89646d825f2ef5f9f91118
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T12:43:31Z
>>
>> Fixes tests
>>
>> commit c1928ad06bdfbe245b1ed7d5bfeb07ed9bface37
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T16:36:04Z
>>
>> Fixes tests
>>
>> commit 3b31c428856766389ad6df4ba1edc3d60ecf5e24
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T16:36:29Z
>>
>> Adds support for wildcards
>>
>> commit 185530464b838b3aac9681b5ff5b16401ccef56d
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T16:36:41Z
>>
>> Simplifies implementation
>>
>> commit 47a01eab10d940fdc134cb666d3d2db0280d8ca8
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T18:28:45Z
>>
>> Fixes typo
>>
>> commit 63bb6e30e75facf5382608857494cf971f0378dd
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T19:06:06Z
>>
>> Adds missing comma
>>
>> commit 4c7a7dd6c02457cf006318ed4621b7c432cc478c
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T19:46:16Z
>>
>> Adds null-safety
>>
>> commit 77691563b9b8d2ad01c078a66d1ed207bf3611b3
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T19:46:47Z
>>
>> Implements required method
>>
>> commit dd406fbb04e755c0545c318c3ea099674fb78363
>> Author: Lukasz Lenart <lu...@apache.org>
>> Date: 2015-08-31T19:46:55Z
>>
>> Fixes test
>>
>> ----
>>
>>
>> ---
>> If your project is set up for it, you can reply to this email and have your
>> reply appear on GitHub as well. If your project does not have this feature
>> enabled and wishes so, or if the feature is enabled but not working, please
>> contact infrastructure at infrastructure@apache.org or file a JIRA ticket
>> with INFRA.
>> ---
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [GitHub] struts pull request: WW-4540: Strict DMI
Posted by Greg Huber <gr...@gmail.com>.
Would these be regex style method names?
On 1 September 2015 at 07:10, lukaszlenart <gi...@git.apache.org> wrote:
> GitHub user lukaszlenart opened a pull request:
>
> https://github.com/apache/struts/pull/47
>
> WW-4540: Strict DMI
>
> This PR enables `Strict DMI` be default (or rather it's always
> enabled). Thus will limit possible methods which can be called and executed
> as an action methods.
>
> Right now you can configure `global-allowed-methods` and
> `allowed-methods` via `struts.xml` only but I'm going to add support for
> annotations as well.
>
> To use the new functionality you must update DTD definition to `2.5`
>
> You can merge this pull request into a Git repository by running:
>
> $ git pull https://github.com/lukaszlenart/struts strict-dmi
>
> Alternatively you can review and apply these changes as the patch at:
>
> https://github.com/apache/struts/pull/47.patch
>
> To close this pull request, make a commit to your master/trunk branch
> with (at least) the following in the commit message:
>
> This closes #47
>
> ----
> commit 065b5b79ae068ab7891a4232a0769290fd21bb17
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:31:59Z
>
> Drops wildcard as a valid action method
>
> commit ce884e92a15ef601b0e119963d3c521fa68d8bb1
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:33:31Z
>
> Defines global-allowed-methods
>
> commit fd22e3a16c88ef0528c1e26e0d6bdfdf1c02c755
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:35:16Z
>
> Uses global-allowed-methods config para
>
> commit 55b8070048cbec0a6e08b1781f81b1bfdb3354f2
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:41:57Z
>
> Drops strict DMI
>
> commit fb0c4a58507c7fb1af135bb376af5b475f43d7ee
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:42:44Z
>
> Drops outdated attribute
>
> commit 4565993463f660e9be90b9fe9c3597ce54b58917
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:43:21Z
>
> Extends Unknown Handler to allowed check if method is allowed
>
> commit c3f4457b8b8ad6bd0e89646d825f2ef5f9f91118
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T12:43:31Z
>
> Fixes tests
>
> commit c1928ad06bdfbe245b1ed7d5bfeb07ed9bface37
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T16:36:04Z
>
> Fixes tests
>
> commit 3b31c428856766389ad6df4ba1edc3d60ecf5e24
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T16:36:29Z
>
> Adds support for wildcards
>
> commit 185530464b838b3aac9681b5ff5b16401ccef56d
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T16:36:41Z
>
> Simplifies implementation
>
> commit 47a01eab10d940fdc134cb666d3d2db0280d8ca8
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T18:28:45Z
>
> Fixes typo
>
> commit 63bb6e30e75facf5382608857494cf971f0378dd
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T19:06:06Z
>
> Adds missing comma
>
> commit 4c7a7dd6c02457cf006318ed4621b7c432cc478c
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T19:46:16Z
>
> Adds null-safety
>
> commit 77691563b9b8d2ad01c078a66d1ed207bf3611b3
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T19:46:47Z
>
> Implements required method
>
> commit dd406fbb04e755c0545c318c3ea099674fb78363
> Author: Lukasz Lenart <lu...@apache.org>
> Date: 2015-08-31T19:46:55Z
>
> Fixes test
>
> ----
>
>
> ---
> If your project is set up for it, you can reply to this email and have your
> reply appear on GitHub as well. If your project does not have this feature
> enabled and wishes so, or if the feature is enabled but not working, please
> contact infrastructure at infrastructure@apache.org or file a JIRA ticket
> with INFRA.
> ---
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>