You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Shohji Mikami <sm...@nekonet.co.jp> on 2013/06/04 10:34:56 UTC
About includeParams in S2-014
Struts 2 security report S2-014 strongly recommends upgrading Struts to
2.3.14.2, but in our project current Struts 2.3.4.1 is difficult to upgrade.
Our project member verified the problem of S2-014 and found -- when the
includeParams="all" or "get" were not specified in s:url and s:a tag, no
malfunctioning behavior were seen.
I'd like to ask a question. As in our JSP application url/a tag neither
includeParams="all" nor includeParams="get" is specified, we'd like to avoid
upgrading Struts this time. Does this decision have a problem?
Regards
Shohji Mikami
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: About includeParams in S2-014
Posted by Shohji Mikami <sm...@nekonet.co.jp>.
Thank you for your quick response and effective information.
I'll check the S2-015 report.
I could not find this report via google. Your new information is really
appreciated.
Shohji Mikami
-----Original Message-----
From: maurizio.cucchiara@gmail.com [mailto:maurizio.cucchiara@gmail.com] On
Behalf Of Maurizio Cucchiara
Sent: Tuesday, June 04, 2013 5:56 PM
To: Struts Users Mailing List
Subject: Re: About includeParams in S2-014
Even if probably it's not the best way to go, If you are not using
includeParams all or get, you would not have to concern about S2-013
and S2-014.
Please, check your app against S2-015 [1].
[1] https://cwiki.apache.org/confluence/display/WW/S2-015
Maurizio Cucchiara
On 4 June 2013 10:34, Shohji Mikami <sm...@nekonet.co.jp> wrote:
> Struts 2 security report S2-014 strongly recommends upgrading Struts to
> 2.3.14.2, but in our project current Struts 2.3.4.1 is difficult to
upgrade.
> Our project member verified the problem of S2-014 and found -- when the
> includeParams="all" or "get" were not specified in s:url and s:a tag, no
> malfunctioning behavior were seen.
> I'd like to ask a question. As in our JSP application url/a tag neither
> includeParams="all" nor includeParams="get" is specified, we'd like to
avoid
> upgrading Struts this time. Does this decision have a problem?
> Regards
> Shohji Mikami
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: About includeParams in S2-014
Posted by Maurizio Cucchiara <mc...@apache.org>.
Even if probably it's not the best way to go, If you are not using
includeParams all or get, you would not have to concern about S2-013
and S2-014.
Please, check your app against S2-015 [1].
[1] https://cwiki.apache.org/confluence/display/WW/S2-015
Maurizio Cucchiara
On 4 June 2013 10:34, Shohji Mikami <sm...@nekonet.co.jp> wrote:
> Struts 2 security report S2-014 strongly recommends upgrading Struts to
> 2.3.14.2, but in our project current Struts 2.3.4.1 is difficult to upgrade.
> Our project member verified the problem of S2-014 and found -- when the
> includeParams="all" or "get" were not specified in s:url and s:a tag, no
> malfunctioning behavior were seen.
> I'd like to ask a question. As in our JSP application url/a tag neither
> includeParams="all" nor includeParams="get" is specified, we'd like to avoid
> upgrading Struts this time. Does this decision have a problem?
> Regards
> Shohji Mikami
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org