[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914324&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914324
]
ASF GitHub Bot logged work on WW-5409:
--------------------------------------
Author: ASF GitHub Bot
Created on: 12/Apr/24 05:43
Start Date: 12/Apr/24 05:43
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #914:
URL: https://github.com/apache/struts/pull/914#discussion_r1562038780
##########
core/src/main/java/org/apache/struts2/config/StrutsXmlConfigurationProvider.java:
##########
@@ -54,6 +54,7 @@ public class StrutsXmlConfigurationProvider extends
XmlConfigurationProvider {
put("-//Apache Software Foundation//DTD Struts Configuration 2.3//EN",
"struts-2.3.dtd");
put("-//Apache Software Foundation//DTD Struts Configuration 2.5//EN",
"struts-2.5.dtd");
put("-//Apache Software Foundation//DTD Struts Configuration 6.0//EN",
"struts-6.0.dtd");
+ put("-//Apache Software Foundation//DTD Struts Configuration
6.5.0//EN", "struts-6.5.0.dtd");
Review Comment:
I would keep two digits pattern as such changes cannot be introduced with
`PATCH` version anyway. So instead of
```java
put("-//Apache Software Foundation//DTD Struts Configuration 6.5.0//EN",
"struts-6.5.0.dtd")
```
use
```java
put("-//Apache Software Foundation//DTD Struts Configuration 6.5//EN",
"struts-6.5.dtd")
```
and rename the corresponding file.
---
What do you think? does it make sense?
Issue Time Tracking
-------------------
Worklog Id: (was: 914324)
Time Spent: 50m (was: 40m)
> Introduce final attribute to package elements which makes them unextendable
> ---------------------------------------------------------------------------
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
> <package name="package1">
> <default-interceptor-ref name="adminOnly"/>
> <action name="action1" class="Action1">
> <result name="success" />
> </action>
> </package>{code}
> If it is extended by another package like so:
> {code:xml}
> <package name="package2" extends="package1">
> <default-interceptor-ref name="authenticatedOnly"/>
> <action name="action2" class="Action2">
> <result name="success" />
> </action>
> </package> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
> <package name="package1" final="true">
> <default-interceptor-ref name="adminOnly"/>
> <action name="action1" class="Action1">
> <result name="success" />
> </action>
> </package>{code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
