You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Dave Newton (JIRA)" <ji...@apache.org> on 2007/11/13 03:27:34 UTC

[jira] Commented: (WW-2316) Ability to prevent method:METHOD_NAME access

    [ https://issues.apache.org/struts/browse/WW-2316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42635 ] 

Dave Newton commented on WW-2316:
---------------------------------

Was the general philosophy of WW that "a public action in an action is always available to an app user"?

If so, methods that don't want to be exposed can just be made private (protected?).

If you're using an action method from somewhere else in the app then perhaps it belongs somewhere else anyway.

Privilege checks would have to be done either in the method or through an interceptor, and they'd only be on public methods.

> Ability to prevent method:METHOD_NAME access
> --------------------------------------------
>
>                 Key: WW-2316
>                 URL: https://issues.apache.org/struts/browse/WW-2316
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Dispatch Filter
>    Affects Versions: 2.0.11, 2.1.0
>            Reporter: Dale Newfield
>             Fix For: 2.1.1
>
>
> In order to allow multiple form submission buttons result in different behavior based on the button pressed, a specially named parameter is included in the form submission that instructs the ActionMapper to call a method indicated in the URL.  This special parameter can be used to implement a credential escalation attack, though:  If a user has suffiicient credentials to call a single method on an action, this provides a mechanism whereby they could call any method on that action.  The "action!method.do" capability introduces a similar vulnerability, and the "allowDynamicMethodCalls" option closes that hole.  Besides needing to provide a different mechanism to allow different form submission buttons to do different things, is there a large downside to using this same option ("allowDynamicMethodCalls") to close this hole as well?
> (Just to be explicit, that solution would wrap "if (allowDynamicMethodCalls) {" and "}" around lines 186-188 in org.apache.struts2.dispatcher.mapper.DefaultActionMapper.java .)
> http://www.nabble.com/forum/ViewPost.jtp?post=13710147&framed=y
> http://www.nabble.com/forum/ViewPost.jtp?post=13711925&framed=y

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.