[ https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13564302#comment-13564302 ]
Lukasz Lenart commented on WW-3973: ----------------------------------- Added info to Version Notes as well https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.9 > WW-3866 overrides ParameterNameAware decision with interceptor settings > ----------------------------------------------------------------------- > > Key: WW-3973 > URL: https://issues.apache.org/jira/browse/WW-3973 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 2.3.7 > Reporter: Christoph Lenggenhager > Assignee: Lukasz Lenart > Fix For: 2.3.9 > > > The fix for WW-3866 (Revision 1379386) changes the logic for acceptable > parameter names from > {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line > 282ff.} > boolean acceptableName = acceptableName(name) > && (parameterNameAware == null || > parameterNameAware.acceptableParameterName(name)); > {code} > to > {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line > 282ff.} > boolean acceptableName = acceptableName(name) > || (parameterNameAware != null && > parameterNameAware.acceptableParameterName(name)); > {code} > This might impose a security risk if implementations relied on their actions > for parameter name validation (e.g. by explicitly whitelisting parameters). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira