[
https://issues.apache.org/jira/browse/WW-4257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13847442#comment-13847442
]
Christoph Lenggenhager commented on WW-4257:
--------------------------------------------
I'm well aware that this was not an issue until WW-4154 that enforced the
according logical AND in {{SecurityMemberAccess}}.
I can also provide a patch, if there are suggestions on how this should be
addressed.
> ParametersInterceptor uses same method on ParameterNameAware interface to
> validate parameters and properties
> ------------------------------------------------------------------------------------------------------------
>
> Key: WW-4257
> URL: https://issues.apache.org/jira/browse/WW-4257
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.16
> Reporter: Christoph Lenggenhager
>
> With version 2.3.16, the {{ParametersInterceptor}} uses the same method to
> validate parameter names and property names.
> As we use the {{ParameterNameAware}} interface to implement parameter
> whitelisting on action level, this breaks our case.
> It might not be how it is intended, but validating a property independent of
> the actual bean breaks our current implementation.
> Possible fixes would be:
> - alter {{ParameterNameAware}} to have an additional separate method to
> validate properties
> - introduce a new {{PropertyNameAware}} interface
> - introduce a new {{ParameterAndPropertyNameAware}} interface
> One could also consider to ignore the {{ParameterNameAware}} interface when
> validating properties, as for a parameter {{foo.bar}}, the values
> {{foo.bar}}, {{foo}}, and {{bar}} are passed to the ParameterNameAware
> interface, which one could see as a bit redundant. Especially given the case
> that a context in the case of property validation is completely lacking.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
