'[jira] [Issue Comment Deleted] (WW-4751) Struts2 should know and consider config time class of user''

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-dev
Subject:    [jira] [Issue Comment Deleted] (WW-4751) Struts2 should know and consider config time class of user'
From:       "Yasser Zamani (JIRA)" <jira () apache ! org>
Date:       2017-05-19 11:06:04
Message-ID: JIRA.13048787.1488873796000.249360.1495191964234 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/WW-4751?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Yasser Zamani updated WW-4751:
------------------------------
    Comment: was deleted

(was: WW-4105 nicely fixed by this approach i.e. considering config time class of \
action when copying properties in actions chain :) you can see a [list of changes \
here|https://github.com/yasserzamani/struts/commit/e95224f26aa17dad6ad490473b4aeab1d2ceaf79].


Now I am working on Parameters Interceptor. Considering config time class of action \
there, enhances S2 security by preventing proxy information of a proxied action to be \
changed by attacker!)

> Struts2 should know and consider config time class of user's Actions
> --------------------------------------------------------------------
> 
> Key: WW-4751
> URL: https://issues.apache.org/jira/browse/WW-4751
> Project: Struts 2
> Issue Type: Improvement
> Reporter: Yasser Zamani
> Priority: Minor
> Fix For: 2.5.next
> 
> 
> I see some issues like WW-4105 , WW-4694 and WW-4498 suffers lack of this \
> information i.e. config time class of user's action. I also know future issues like \
> below are possible or potential to occur when Struts2 give Actions up to an object \
> factory and, himself does not know any more about Action's real class (i.e. when \
>                 user set className to a bean name inside his object factory):
> * JSONResult will fail or will generate ugly json when the action is an AOPed \
> proxy. Because JSONResult tries to generate json from un-relevant information like \
>                 advices and etc.
> * In a security point of view, someone may successfully change that action proxy or \
> aop information simply by calling that action submitting some named parameters. I \
> know these are solvable by enforcing user to specify includes/excludes parameters \
> but more better and beauty approach is as below: (proxied action) -> ... -> (some \
> subclass of action) -> ... -> (*user config time specified class*) -> ... -> (some \
> superclass of action) -> ... -> Struts2's ActionSupport -> ... If we suppose the \
> above as type hierarchy of the action, knowing *user config time specified class*, \
> Struts2 can exclude all sub-classes above this class and all super classes under \
> and including ActionSupport in all sensitive places to avoid potential future \
> issues. What do you think? :)



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic