[jira] Resolved: (WW-3214) AliasInterceptor does not set setDenyMethodExecution()

Wed, 12 Aug 2009 16:04:23 -0700 

     [ 
https://issues.apache.org/struts/browse/WW-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Musachy Barroso resolved WW-3214.
---------------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 2.0.15)

> AliasInterceptor does not set setDenyMethodExecution()
> ------------------------------------------------------
>
>                 Key: WW-3214
>                 URL: https://issues.apache.org/struts/browse/WW-3214
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.1.6, 2.1.7
>            Reporter: Jasper Rosenberg
>             Fix For: 2.1.8
>
>
> There are actually a lot of issues with AliasInterceptor:
> 1. It injects the aliased parameter without first setting 
> ReflectionContextState.setDenyMethodExecution(contextMap, true).  This is a 
> security issue.
> 2. It doesn't handle conversion errors
> 3. It doesn't set setCreatingNullObjects(contextMap, true) like all other 
> parameter injecting interceptors
> 4. It uses a different instance of the parameter map than all of the other 
> parameter related interceptors (stack.getContext().get("parameters") rather 
> than ac.getParameters())
> 5. It doesn't offer an option to not inject the other parameters later on (in 
> other words if I alias A to B, the contents of A gets injected twice once as 
> A, and once as B assuming I have ParameterInterceptor in the stack too and 
> haven't explicitly filtered out A.)  This is more of an enhancement request 
> of course.
> My 2 cents is that the AliasInterceptor should just be deprecated, and the 
> ability to alias a parameter should just be moved to ParameterInterceptor.  
> It would be nice too because, if you made static parms also extend parms 
> (WW-3213), then all three parameter injecting interceptors would support 
> aliasing.   That would be a nice consistency, and useful now that 
> static-parms can be set by wildcards.  Issue 5. could be more easily 
> implemented from within the main parms interceptor as well.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to