Paul and Luskaz - I appreciate the feedback but I'm a little confused.
Should I add the warning about using the ParameterNameAware interface that
is in the JavaDoc for the ParametersInterceptor to the JavaDoc for the
ParameterNameAware interface?
Or do we need to make some code changes in how ParametersInterceptor deals
with Action classes that implement the ParameterNameAware interface?
I did review the complete setParameters method of class
ParametersInterceptor. Being new to the Struts 2 source code it's a bit
hard for me to follow the logic of that method. It looks like the method is
checking in two places to see if the Action implements the
ParameterNameAware interface.
Lines 306-312 where if the Action implements the ParameterNameAware
interface a new PropertyJudge object is created for the
MemberValueStackAccess object - the new PropertyJudge calls the
acceptableParameterName method of the Action class. The
MemberAccessValueStack has a set of acceptable parameters and the
PropertyJudge object.
Lines 346-347 in method isAcceptableParameter where if the Action class
implements ParameterNameAware then the method calls the
acceptableParameterName method of the Action class to determine if the
parameter name is acceptable:
Note line 347:
return acceptableName(name) || (parameterNameAware != null &&
parameterNameAware.acceptableParameterName(name));
If the Action class implements ParameterNameAware and the
acceptableParameterName method returns true then even if
acceptableName(name) returns false the value returned will be true due to
the OR
The method isAcceptableParameter name method is called by line 280 in the
setParameters method as part of putting entries in the acceptableParameters
map.
If I'm not understanding how ParametersInterceptor is handling the use case
where the Action class implements ParameterNameAware please let me know. I
reviewed the code and the JavaDoc for both but being new to the Struts 2
source code I can easily have missed something or mis-understood.
Bottom line is I just want to ensure that we let users of our API know the
effect of implementing the ParameterNameAware interface and the best
practice of how to use that interface given the changes made starting in
version 2.3.7. If users who are using the ParameterNameAware interface to
setup a "blacklist" of acceptable parameter but have the
acceptableParameterName method return true if the parameter name is not in
the "blacklist" (as the person who reported issue 4137 was doing) are
opening themselves up to a security vulnerability then we should let users
know that.
Sorry for the long-winded reply.
Bruce
--
View this message in context:
http://struts.1045723.n5.nabble.com/Add-to-ParameterNameAware-JavaDoc-Warning-About-Using-tp5713285p5713292.html
Sent from the Struts - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
