[
https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13559744#comment-13559744
]
Christoph Lenggenhager commented on WW-3973:
--------------------------------------------
Obviously, it is not big deal to move the whole validation process into
ParameterNameAware actions and configure the interceptor not to accept any
parameter. However, we would have been quite exposed if we hadn't detected this
during testing as our actions do parameter whitelisting.
> WW-3866 overrides ParameterNameAware decision with interceptor settings
> -----------------------------------------------------------------------
>
> Key: WW-3973
> URL: https://issues.apache.org/jira/browse/WW-3973
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.7
> Reporter: Christoph Lenggenhager
>
> The fix for WW-3866 (Revision 1379386) changes the logic for acceptable
> parameter names from
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line
> 282ff.}
> boolean acceptableName = acceptableName(name)
> && (parameterNameAware == null ||
> parameterNameAware.acceptableParameterName(name));
> {code}
> to
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line
> 282ff.}
> boolean acceptableName = acceptableName(name)
> || (parameterNameAware != null &&
> parameterNameAware.acceptableParameterName(name));
> {code}
> This might impose a security risk if implementations relied on their actions
> for parameter name validation (e.g. by explicitly whitelisting parameters).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
