[
https://issues.apache.org/jira/browse/WW-4849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16154858#comment-16154858
]
Mitth'raw'nuruodo commented on WW-4849:
---------------------------------------
Sorry, I don't think I understand your reply properly.
"just drop in the plugin itself" - I'm not sure what you mean here. The
{{guice-servlet}} plugin (part of the Guice project) is no longer compatible
with Struts as of release 2.5.13 due to the signature change. And I'm not sure
that it can be made compatible, since it's supposed to somehow take a no-arg
constructor and yet pass a Container to its superclass. That doesn't seem right
to me. How is anyone supposed to correctly extend {{ObjectFactory}} now?
"there was no other way to fix the vulnerability" - Commit
{{6f91d0776a545c911ca4f2875ed9976614711ef9}} didn't even reference any JIRA
issues. If it really was crucial to fixing vulnerabilities, it probably should
have been better documented. And is it really such a big problem to have a
no-arg constructor in {{ObjectFactory}}? I haven't been able to find detailed
documentation of the potential attack payloads, so I'm not clear on this.
> ObjectFactory constructor signature change breaks extensions
> ------------------------------------------------------------
>
> Key: WW-4849
> URL: https://issues.apache.org/jira/browse/WW-4849
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.5.13
> Reporter: Mitth'raw'nuruodo
> Fix For: 2.5.14
>
>
> Commit {{6f91d0776a545c911ca4f2875ed9976614711ef9}} changed the signature of
> the {{ObjectFactory}} constructor, breaking all classes that extend
> {{ObjectFactory}} (as per https://struts.apache.org/docs/objectfactory.html).
> This affects eg the [{{guice-servlet}} Struts plugin|
> https://github.com/google/guice/blob/master/extensions/struts2/src/com/google/inject/struts2/Struts2Factory.java].
> This was not listed on the [2.5.13 version
> notes|https://struts.apache.org/docs/version-notes-2513.html] as a breaking
> change, and breaking changes should preferably be avoided in critical
> security updates.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)