Re: Add to ParameterNameAware JavaDoc Warning About Using?

[Lukasz Lenart <lu...@apache.org>]

There is another option - flipping order of checking parameter name.
In that case user filter will be first. But precedence can occur in
other way - user will accept the parameter, but interceptor will throw
it away - which can be good indicator for users they are doing
something wrong.

return (parameterNameAware != null &&
parameterNameAware.acceptableParameterName(name)) ||
acceptableName(name);


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Add to ParameterNameAware JavaDoc Warning About Using?

[Lukasz Lenart <lu...@apache.org>]

Just for reference, the old behaviour restored with incoming 2.3.16 version

https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16

2013/9/23 nick <ni...@gmail.com>:
> Any updates please?
>
>
>
> --
> View this message in context: http://struts.1045723.n5.nabble.com/Add-to-ParameterNameAware-JavaDoc-Warning-About-Using-tp5713285p5714001.html
> Sent from the Struts - Dev mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Add to ParameterNameAware JavaDoc Warning About Using?

[nick <ni...@gmail.com>]

Any updates please?



--
View this message in context: http://struts.1045723.n5.nabble.com/Add-to-ParameterNameAware-JavaDoc-Warning-About-Using-tp5713285p5714001.html
Sent from the Struts - Dev mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Add to ParameterNameAware JavaDoc Warning About Using?

[nick <ni...@gmail.com>]

But i guess its always good to give first preference to strust2 core security
check (ie acceptableName check first) as long as struts2 OGNL is vulnerable.
Users of strust2 framework should not bypass these default check by mistake
by excluding it in acceptableParams.

So i hope the following code will be subtle

*acceptableName(name) && (parameterNameAware == null ||
parameterNameAware.acceptableParameterName(name));*

So the check will be strong from security point of view. 

1) acceptableName(name)
Default check will make sue nobody bypassing strust2 default check knowingly
or unknowingly.

2) &&
This makes Strust2 security check stronger so that user can't bypass

3) (parameterNameAware == null ||
parameterNameAware.acceptableParameterName(name))
If strust2 default check accepted the parameter 
then 
If this action is not ParameterNameAware then return true
else if this action is ParameterNameAware then call
acceptableParameterName(name), 

so that the user will understand he can't bypass strust2 default due to
strust2 security vulnerability, and he will have the control over some
custom parameter he want to bypass (except all default struts2 params).



 



--
View this message in context: http://struts.1045723.n5.nabble.com/Add-to-ParameterNameAware-JavaDoc-Warning-About-Using-tp5713285p5713672.html
Sent from the Struts - Dev mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org