Github user yasserzamani commented on the issue:
https://github.com/apache/struts/pull/118
@aleksandr-m , Thank you for your time and comments; please let me know
what do you think about below; I would like to be sure about usefulness before
starting implementation.
> Are you sure? Can you provide some example?
Yes, I created an attack example with latest Struts2 but I think I'm not
allowed to post details here so I emailed to secur...@struts.apache.org because
the example is really can be harmful and can be applied in an almost common
usage by Struts2 users. **The vulnerability is because of operating Struts
inside other technologies borders!**
> How knowing the name of the real class helps in that case? What are you
going to do with it?
Knowing that helps Struts2 to not operate inside other technologies borders
which may arise some vulnerability as mentioned above.
> If it is spring proxy then there are helper methods to get target class
from the instance (e.g. AopUtils). If there is no clean way to do this in the
Struts core utility class then it can be delegated to current object factory.
Struts2 dependency of Spring is optional e.g. AopUtils is not available in
core. Furthermore, Struts2 user has several options for proxy creator from
cglib, jdk to any unknown third party.
> Proxying the action itself is not the best practice too.
Please see [This is useful, for example, if you wish to apply more complex
AOP or Spring-enabled technologies, such as
Acegi](https://struts.apache.org/docs/spring-plugin.html).
> What is the problem with generating proxy data into json? What if this is
what is really needed?
User may not get any exception then may not check the json result but
actual result may help hackers. If this is what is really needed, then we can
provide an option for user.
> If ActionSupport is excluded then its methods cannot be used in the JSP
(e.g. getText). In case of chain action errors / messages won't be moved to the
next action. Etc.
By word excluding, I meant in sensitive places rather than complete
exclusion. In case of chain or any not sensitive place, we should think about
solution :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
