You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Musachy Barroso (JIRA)" <ji...@apache.org> on 2009/08/13 01:03:59 UTC

[jira] Commented: (WW-3214) AliasInterceptor does not set setDenyMethodExecution()

    [ https://issues.apache.org/struts/browse/WW-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46625#action_46625 ] 

Musachy Barroso commented on WW-3214:
-------------------------------------

I updated AliasInterceptor to fix 1-4. Changes for #5 could have side effects and break existing apps, so I am not sure what we can do there.Thanks for reporting.

> AliasInterceptor does not set setDenyMethodExecution()
> ------------------------------------------------------
>
>                 Key: WW-3214
>                 URL: https://issues.apache.org/struts/browse/WW-3214
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.1.6, 2.1.7
>            Reporter: Jasper Rosenberg
>             Fix For: 2.1.8
>
>
> There are actually a lot of issues with AliasInterceptor:
> 1. It injects the aliased parameter without first setting ReflectionContextState.setDenyMethodExecution(contextMap, true).  This is a security issue.
> 2. It doesn't handle conversion errors
> 3. It doesn't set setCreatingNullObjects(contextMap, true) like all other parameter injecting interceptors
> 4. It uses a different instance of the parameter map than all of the other parameter related interceptors (stack.getContext().get("parameters") rather than ac.getParameters())
> 5. It doesn't offer an option to not inject the other parameters later on (in other words if I alias A to B, the contents of A gets injected twice once as A, and once as B assuming I have ParameterInterceptor in the stack too and haven't explicitly filtered out A.)  This is more of an enhancement request of course.
> My 2 cents is that the AliasInterceptor should just be deprecated, and the ability to alias a parameter should just be moved to ParameterInterceptor.  It would be nice too because, if you made static parms also extend parms (WW-3213), then all three parameter injecting interceptors would support aliasing.   That would be a nice consistency, and useful now that static-parms can be set by wildcards.  Issue 5. could be more easily implemented from within the main parms interceptor as well.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.