You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by Niall Pemberton <ni...@gmail.com> on 2006/02/19 03:01:39 UTC

Decision on Bug #38374 Validation skipped with Globals.CANCEL_KEY

I patched the 1.2.x branch to fix Bug #38374 "Validation skipped with
Globals.CANCEL_KEY" and was planning to apply the same fix to the
original RequestProcessor in the current trunk (1.3 series):

  http://issues.apache.org/bugzilla/show_bug.cgi?id=38374
  http://svn.apache.org/viewcvs?rev=377805&view=rev

However Ted expressed the opnion that Bug 38374 was a feature and he
would rather the change I made to the 1.2.x branch not go into 1.3.1

  http://tinyurl.com/c3j7m

My view is its a security hole and it needs to be fixed in the 1.2.x
branch and 1.3 branch. So we need to either:

1) Decide its a security issue and fix this issue in the 1.3 series.
2) Decide its a feature and reverse out the change I made to the 1.2.x branch

I'm proposing here that we apply the changes to the 1.3
RequestProcessor (I'm happy to do the change) for this issue.

Niall

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Decision on Bug #38374 Validation skipped with Globals.CANCEL_KEY

Posted by Ted Husted <te...@gmail.com>.

If someone wants to take responsibility for maintaining the legacy
RequestProcessor in 1.3.x along with the ComposableRequestProcessor,
then go ahead. I just didn't want to take responsiblity for
maintaining duplicate lines of development myself. The Opt-In Cancel
Handler is available in the default Action 1.3.0 configuration., which
was my primary concern.

-Ted.

On 2/18/06, Niall Pemberton <ni...@gmail.com> wrote:
> I patched the 1.2.x branch to fix Bug #38374 "Validation skipped with
> Globals.CANCEL_KEY" and was planning to apply the same fix to the
> original RequestProcessor in the current trunk (1.3 series):
>
>   http://issues.apache.org/bugzilla/show_bug.cgi?id=38374
>   http://svn.apache.org/viewcvs?rev=377805&view=rev
>
> However Ted expressed the opnion that Bug 38374 was a feature and he
> would rather the change I made to the 1.2.x branch not go into 1.3.1
>
>   http://tinyurl.com/c3j7m
>
> My view is its a security hole and it needs to be fixed in the 1.2.x
> branch and 1.3 branch. So we need to either:
>
> 1) Decide its a security issue and fix this issue in the 1.3 series.
> 2) Decide its a feature and reverse out the change I made to the 1.2.x branch
>
> I'm proposing here that we apply the changes to the 1.3
> RequestProcessor (I'm happy to do the change) for this issue.
>
> Niall

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org