Jira ticket with patch: https://issues.apache.org/struts/browse/WW-2761
Crucible review: http://fisheye6.atlassian.com/cru/CR-10/preview
I added this tests to the testcases:
put("blah", "This is blah"); //assert it is good
put("name", "try_1"); //assert it is not set
put("(name)", "try_2"); /
I think that would be great, create a jira ticket, attach a patch to
it and we will check it out. I am writing a patch for the approach
that I mentioned before, which will provide the same behavior using
xml configuration, but having annotations as an option would be good.
musachy
On Tue, Aug 12,
I wrote an annotation based parameters interceptor that extends the current
parameters interceptor while allowing you to configure the default "accept"
policy for an actions properties, as well as a per-property annotation that can
override the action's policy. This lets you use the same inte
> I worked on the 'blank' archetype recently to try to update it to
> Struts 2.1, but wasn't successful in getting it to work. You might
> need to check out an older revision if that's the one you need and you
> want a 2.0.x archetype.
Ok, I will try to make it running...
Regards
--
Lukasz
htt
> If that's a page intended for end users, unreleased snapshots should
> not be listed there.
Maybe, but when you type mvn archetype:create will get the Struts2
archetypes, so it can be very confusing for new users, that this
archetypes are gone ;-)
Regards
--
Lukasz
http://www.lenart.org.pl/
I forgot to say, that this would prevent all the OGNL expression
tricks, because the property name that is passed to MemberAccess to be
checked, is the actual property name, and not an expression.
musachy
On Tue, Aug 12, 2008 at 9:48 AM, Musachy Barroso <[EMAIL PROTECTED]> wrote:
> It seems to me
n Tue, Aug 12, 2008 at 6:22 AM, Lukasz Lenart
<[EMAIL PROTECTED]> wrote:
> Ok, but this mean that you broke the use of Maven2 archetype to
> generate Struts2 application, is there any alternative?
> And the archetypes with repo are still mentioned here
> http://docs.codehaus.org/display/MAVENUSER/
On Tue, Aug 12, 2008 at 6:22 AM, Lukasz Lenart
<[EMAIL PROTECTED]> wrote:
> Where are the sources for them?
http://svn.apache.org/repos/asf/struts/maven/trunk/
I worked on the 'blank' archetype recently to try to update it to
Struts 2.1, but wasn't successful in getting it to work. You might
ne
s/Memeber/Member/g
On Tue, Aug 12, 2008 at 9:48 AM, Musachy Barroso <[EMAIL PROTECTED]> wrote:
> It seems to me like there is an elegant solution to this. We can
> rename StaticMemeberAccess to SecurityMemeberAccess, and in there not
> only block static member access, but also fields that can be
>
It seems to me like there is an elegant solution to this. We can
rename StaticMemeberAccess to SecurityMemeberAccess, and in there not
only block static member access, but also fields that can be
configured using regular expressions. The params interceptor would
just set these fields before binding
Look at this related post too:
http://www.nabble.com/paramsPrepareParams-vs.-staticParams-td18773842.html
2008/8/12, Rene Gielen <[EMAIL PROTECTED]>:
>
> Am Di, 12.08.2008, 14:20, schrieb Jeromy Evans:
> >
> > This relates to Musachy's recent proposal to remove OGNL entirely from
> > the parameter
> We can
> re-publish the latest snapshots, but they really ought to be fixed up
> and released.
Where are the sources for them?
Regards
--
Lukasz
http://www.lenart.org.pl/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For addit
> Old snapshots were removed recently to free up disk space. We can
> re-publish the latest snapshots, but they really ought to be fixed up
> and released.
Ok, but this mean that you broke the use of Maven2 archetype to
generate Struts2 application, is there any alternative?
And the archetypes wi
On Tue, Aug 12, 2008 at 4:43 AM, Lukasz Lenart
<[EMAIL PROTECTED]> wrote:
> My colleague discovered that all maven2 archetypes are missing from
> http://people.apache.org/repo/m2-snapshot-repository, could someone
> check that? There are only empty directories, last modified at
> 04-Aug-2008 17:33
Am Di, 12.08.2008, 14:20, schrieb Jeromy Evans:
>
> This relates to Musachy's recent proposal to remove OGNL entirely from
> the parameter-setting process. Which I think is a very good idea.
>
Indeed removing OGNL for parameters would fix this issue, but even if we
would decide to do so this won
This relates to Musachy's recent proposal to remove OGNL entirely from
the parameter-setting process. Which I think is a very good idea.
If I've understood correctly, currently there is no way to filter the
parameter names, using regex or otherwise, other than to verify them use
a whitelist
Hi,
My colleague discovered that all maven2 archetypes are missing from
http://people.apache.org/repo/m2-snapshot-repository, could someone
check that? There are only empty directories, last modified at
04-Aug-2008 17:33
I've been using Mavne 2.0.9
Regards
--
Lukasz
http://www.lenart.org.pl/
Well the Interceptor promises to "blocks parameters from getting to the rest
of the stack or your action" clearly it fails to deliver on that.
The regexp solution is unusable in a paramsPrepareParamsStack because you
would essentially have to duplicate the entire stack
On Tue, Aug 12, 2008 at 1
I would not go so far to consider this a security issue, I'd rather say
ParameterFilterInterceptor might not be feature complete.
I think it would be straightforward to also enable RegExp for
ParameterFilterInterceptor, to enhance it's usability in this case.
What exactly would be that hard when
Hi all,
I was looking into an easy way to prevent people binding on fields they
shouldn't be binding on.
Say you have a User object, you do not want people to be able to bind on the
isAdmin property.
Various people remommended using the ParameterFilterInterceptor for this but
it seems to be flat
20 matches
Mail list logo
