[prev in list] [next in list] [prev in thread] [next in thread]
List: struts-dev
Subject: [jira] [Resolved] (WW-3973) WW-3866 overrides ParameterNameAware decision with interceptor settings
From: "Lukasz Lenart (JIRA)" <jira () apache ! org>
Date: 2013-01-28 14:19:12
Message-ID: JIRA.12628737.1358871819118.200926.1359382752707 () arcas
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]
Lukasz Lenart resolved WW-3973.
-------------------------------
Resolution: Won't Fix
Assignee: Lukasz Lenart
Thanks for pointing out this issue!
> WW-3866 overrides ParameterNameAware decision with interceptor settings
> -----------------------------------------------------------------------
>
> Key: WW-3973
> URL: https://issues.apache.org/jira/browse/WW-3973
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.7
> Reporter: Christoph Lenggenhager
> Assignee: Lukasz Lenart
> Fix For: 2.3.9
>
>
> The fix for WW-3866 (Revision 1379386) changes the logic for acceptable parameter \
> names from {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, \
> line 282ff.} boolean acceptableName = acceptableName(name)
> && (parameterNameAware == null || \
> parameterNameAware.acceptableParameterName(name)); {code}
> to
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.}
> boolean acceptableName = acceptableName(name)
> > > (parameterNameAware != null && \
> > > parameterNameAware.acceptableParameterName(name));
> {code}
> This might impose a security risk if implementations relied on their actions for \
> parameter name validation (e.g. by explicitly whitelisting parameters).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic