You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/09/19 13:40:00 UTC

[jira] [Commented] (WW-4323) Ability to accept params purely by implementing ParamNameAware is broken

    [ https://issues.apache.org/jira/browse/WW-4323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606607#comment-17606607 ] 

ASF subversion and git services commented on WW-4323:
-----------------------------------------------------

Commit 3c8e0710fe47b92ba8bd15d667660f2a67eb6d4b in struts-site's branch refs/heads/master from brianandle
[ https://gitbox.apache.org/repos/asf?p=struts-site.git;h=3c8e0710f ]

Update docs for WW-5184 (#170)

* Update parameters-interceptor.md

Updating for excludeValuePatterns/WW-5184

NOTE: The existing Using `ParameterNameAware` could be dangerous as `ParameterNameAware#acceptableParameterName(String)` text is wrong because of WW-4323 but I see thats slated to be fixed in 6.1.0.

* Update parameters-interceptor.md

* Update parameters-interceptor.md

* Update parameters-interceptor.md

> Ability to accept params purely by implementing ParamNameAware is broken
> ------------------------------------------------------------------------
>
>                 Key: WW-4323
>                 URL: https://issues.apache.org/jira/browse/WW-4323
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.16.1
>         Environment: struts2 version 2.3.16.1
>            Reporter: Kyle Braak
>            Priority: Major
>             Fix For: 6.1.0
>
>
> The ability to accept params purely by implementing ParamNameAware is broken.
> Relates to WW-3866 which is when this feature was added for version 2.3.5
> The commit that breaks this feature is: https://github.com/apache/struts/commit/4e98aaaa1b08cc37374d06e77cf78000d98c5ff0
> Description:
> Prior to this change/2.3.16.1 it was quite convenient to define what parameters my action should accept, by implementing ParameterNameAware#acceptableParameterName. With this change, there is the additional requirement that the parameter names must also satisfy acceptableName(name).
> In the ParametersInterceptor javadoc, it says: "if you wish to apply a global rule that isn't implemented in your action, then you could extend this interceptor and override the {@link #acceptableName(String)} method." So this isn't suitable for customizing a single action.
> Looking more carefully at the code, another alternative to defining what parameters my action can accept, looks to be via populating the ParametersInterceptor's field acceptParams. Apparently this could be done in the interceptor stack from what I have read here: http://struts.apache.org/release/2.3.x/docs/parameters-interceptor.html
> By forcing one to populate acceptParams, and also implement ParameterNameAware#acceptableParameterName it becomes quite difficult to add custom behavior. I understand people should fully understand what they are doing due to the security risks involved, but it is probably safer to define the behavior in a single place.
> I'd greatly appreciate your help understanding how to adapt to this change. In the meantime, I'll have to continue using 2.3.15.3
> Thanks



--
This message was sent by Atlassian Jira
(v8.20.10#820010)