[jira] Resolved: (WW-3213) StaticParametersInterceptor does not set setDenyMethodExecution()

Musachy Barroso (JIRA) Wed, 12 Aug 2009 15:45:26 -0700

     [ 
https://issues.apache.org/struts/browse/WW-3213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Musachy Barroso resolved WW-3213.
---------------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 2.0.15)

fixed in xwork trunk. The static params interceptor will now create an empty 
stack used to set the params, just like the params interceptor does

> StaticParametersInterceptor does not set setDenyMethodExecution()
> -----------------------------------------------------------------
>
>                 Key: WW-3213
>                 URL: https://issues.apache.org/struts/browse/WW-3213
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.1.6, 2.1.7
>            Reporter: Jasper Rosenberg
>             Fix For: 2.1.8
>
>
> Static parameters can be set from wildcards in the action name, so I believe 
> they are also vulnerable to ognl method invocation security issues.
> Perhaps StaticParametersInterceptor could be refactored to extend 
> ParametersInterceptor just as ActionMappingParametersInteceptor does?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WW-3213) StaticParametersInterceptor does not set setDenyMethodExecution()

Reply via email to