You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "bphillips@ku.edu" <bp...@ku.edu> on 2011/12/15 15:21:30 UTC
Dynamic Method Invocation Changes In Struts 2.3.1 Release
I'd previously
http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
blogged about the security vulnerability that exists when Struts dynamic
method invocation is not disabled. I was happy to learn that this
vulnerability was addressed in the 2.3.1 release.
However, after adding the strict-method-invocation="true" to my package
statement a user of my example application is still able to execute any
public method (for example getPassword) of the action class.
I'm following the
http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
instructions here that state to add strict-method-invocation="true" to the
package statement to prevent dynamic method invocation from executing any
method except the method specified in the method attribute of the action.
You can download the example application from my
http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
blog post to see how I tested the 2.3.1 release and dynamic method
invocation. See the readme file in the download for instructions on how to
build and deploy the example.
Have I missed some additional configuration that must be done to prevent
dynamic method invocation from allowing the user to execute methods besides
the method specified in the action's method attribute?
Thank you for the assistance.
--
View this message in context: http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
Posted by "bphillips@ku.edu" <bp...@ku.edu>.
I think you fixed the issue.
Using the 2.3.2-snapshot with strict-method-invocation="true" in the package
statement I now get a 404 - error with the message being
Invalid method: getPassword for action recoverpassword
and the description being
The requested resource (Invalid method: getPassword for action
recoverpassword) is not available
When using the 2.3.1 GA release with strict-method-invocation="true" in the
package statement I was getting a 404 error with the message being:
No result defined for action
edu.ku.it.si.struts2securityvulnerability.security.action.RecoverPassword
and result user_secrect_password
and the description being:
The requested resource (No result defined for action
edu.ku.it.si.struts2securityvulnerability.security.action.RecoverPassword
and result user_secrect_password) is not available.
The user_secret_password is actually the String being returned from the
getPassword method call. This was the same result I was getting before
2.3.1.
Thanks for the quick response. I look forward to getting 2.3.2.
Bruce
--
View this message in context: http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5081493.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
Posted by Łukasz Lenart <lu...@googlemail.com>.
Could you check the latest stable build [1]? It'll be ready in 1 hour
[1] https://builds.apache.org//view/S-Z/view/Struts/job/Struts2/lastStableBuild/
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Warszawa JUG conference - Confitura http://confitura.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
Posted by Dave Newton <da...@gmail.com>.
Define "not working for you".
Dave
On Fri, Dec 16, 2011 at 2:17 AM, Reshmi <ra...@trinitymobility.com> wrote:
> Dear Bruce,
> I checked the tag strict-method-invocation, but
> <package name="default" extends="struts-default" namespace="/"
> strict-method-invocation="true" >
> </package>
> But it is not working for me .Give me some sample codes
> -----Original Message-----
> From: Łukasz Lenart [mailto:lukasz.lenart@googlemail.com]
> Sent: Friday, December 16, 2011 12:43 PM
> To: Struts Users Mailing List
> Subject: Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
>
> Thanks Bruce, I'm checking that right now, give me some time
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> Warszawa JUG conference - Confitura http://confitura.pl/
>
>
> 2011/12/15 bphillips@ku.edu <bp...@ku.edu>:
> > I'd previously
> >
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> > blogged about the security vulnerability that exists when Struts dynamic
> > method invocation is not disabled. I was happy to learn that this
> > vulnerability was addressed in the 2.3.1 release.
> >
> > However, after adding the strict-method-invocation="true" to my package
> > statement a user of my example application is still able to execute any
> > public method (for example getPassword) of the action class.
> >
> > I'm following the
> >
> http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
> > instructions here that state to add strict-method-invocation="true" to
> the
> > package statement to prevent dynamic method invocation from executing any
> > method except the method specified in the method attribute of the action.
> >
> > You can download the example application from my
> >
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> > blog post to see how I tested the 2.3.1 release and dynamic method
> > invocation. See the readme file in the download for instructions on how
> to
> > build and deploy the example.
> >
> > Have I missed some additional configuration that must be done to prevent
> > dynamic method invocation from allowing the user to execute methods
> besides
> > the method specified in the action's method attribute?
> >
> > Thank you for the assistance.
> >
> > --
> > View this message in context:
> http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html
> > Sent from the Struts - User mailing list archive at Nabble.com.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
RE: Dynamic Method Invocation Changes In Struts 2.3.1 Release
Posted by Reshmi <ra...@trinitymobility.com>.
Dear Bruce,
I checked the tag strict-method-invocation, but
<package name="default" extends="struts-default" namespace="/" strict-method-invocation="true" >
</package>
But it is not working for me .Give me some sample codes
-----Original Message-----
From: Łukasz Lenart [mailto:lukasz.lenart@googlemail.com]
Sent: Friday, December 16, 2011 12:43 PM
To: Struts Users Mailing List
Subject: Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
Thanks Bruce, I'm checking that right now, give me some time
Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Warszawa JUG conference - Confitura http://confitura.pl/
2011/12/15 bphillips@ku.edu <bp...@ku.edu>:
> I'd previously
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> blogged about the security vulnerability that exists when Struts dynamic
> method invocation is not disabled. I was happy to learn that this
> vulnerability was addressed in the 2.3.1 release.
>
> However, after adding the strict-method-invocation="true" to my package
> statement a user of my example application is still able to execute any
> public method (for example getPassword) of the action class.
>
> I'm following the
> http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
> instructions here that state to add strict-method-invocation="true" to the
> package statement to prevent dynamic method invocation from executing any
> method except the method specified in the method attribute of the action.
>
> You can download the example application from my
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> blog post to see how I tested the 2.3.1 release and dynamic method
> invocation. See the readme file in the download for instructions on how to
> build and deploy the example.
>
> Have I missed some additional configuration that must be done to prevent
> dynamic method invocation from allowing the user to execute methods besides
> the method specified in the action's method attribute?
>
> Thank you for the assistance.
>
> --
> View this message in context: http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
Posted by Łukasz Lenart <lu...@googlemail.com>.
Thanks Bruce, I'm checking that right now, give me some time
Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Warszawa JUG conference - Confitura http://confitura.pl/
2011/12/15 bphillips@ku.edu <bp...@ku.edu>:
> I'd previously
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> blogged about the security vulnerability that exists when Struts dynamic
> method invocation is not disabled. I was happy to learn that this
> vulnerability was addressed in the 2.3.1 release.
>
> However, after adding the strict-method-invocation="true" to my package
> statement a user of my example application is still able to execute any
> public method (for example getPassword) of the action class.
>
> I'm following the
> http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation
> instructions here that state to add strict-method-invocation="true" to the
> package statement to prevent dynamic method invocation from executing any
> method except the method specified in the method attribute of the action.
>
> You can download the example application from my
> http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
> blog post to see how I tested the 2.3.1 release and dynamic method
> invocation. See the readme file in the download for instructions on how to
> build and deploy the example.
>
> Have I missed some additional configuration that must be done to prevent
> dynamic method invocation from allowing the user to execute methods besides
> the method specified in the action's method attribute?
>
> Thank you for the assistance.
>
> --
> View this message in context: http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org