Github user lukaszlenart commented on the pull request:
https://github.com/apache/struts/pull/10#issuecomment-41459932
Step-by-step guideline
https://help.github.com/articles/creating-a-pull-request
---
If your project is set up for it, you can reply to this email and have your
reply
Github user lukaszlenart commented on the pull request:
https://github.com/apache/struts/pull/10#issuecomment-41459539
Edit this Pull Request and change `source`
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your pro
Github user lukaszlenart commented on the pull request:
https://github.com/apache/struts/pull/10#issuecomment-41459530
You don't have to have `develop` branch, use your `master` branch and
`develop` branch from Struts
---
If your project is set up for it, you can reply to this email
Github user dwaite commented on the pull request:
https://github.com/apache/struts/pull/10#issuecomment-41459381
Grr, did it apply other changes from my develop branch? Afraid I don't know
too much about how pull requests work. The ChainingInterceptor commit is
independent
---
If yo
Vote passed with result:
+1 GA (binding) x4
+1 GA (non-binding) x1
2014-04-24 23:13 GMT+02:00 Lukasz Lenart :
> The Struts 2.3.16.2 test build is now available. It includes the
> latest security patch which fixes two possible vulnerabilities:
> - Improves excluded params to avoid ClassLoader manip
+1
On Fri, Apr 25, 2014 at 3:59 PM, Lukasz Lenart wrote:
> +1 GA (binding)
>
> 2014-04-24 23:13 GMT+02:00 Lukasz Lenart :
> > The Struts 2.3.16.2 test build is now available. It includes the
> > latest security patch which fixes two possible vulnerabilities:
> > - Improves excluded params to avo
+1 GA (binding)
2014-04-24 23:13 GMT+02:00 Lukasz Lenart :
> The Struts 2.3.16.2 test build is now available. It includes the
> latest security patch which fixes two possible vulnerabilities:
> - Improves excluded params to avoid ClassLoader manipulation via
> ParametersInterceptor
> - Adds exclud
GitHub user lukaszlenart opened a pull request:
https://github.com/apache/struts/pull/11
Security: exclude Object's class methods
This fix is a follow up of the latest security issues discovered with
`ParametersInterceptor` to allow access object's `getClass` method via http
reques
If I have a parameter called class ie
it does not match in ParametersInterceptor , ie log notifyDeveloper(..)
protected boolean isExcluded(String paramName) {
if (!this.excludeParams.isEmpty()) {
for (Pattern pattern : excludeParams) {
Matcher matcher = patte
The second is enough
2014-04-25 12:08 GMT+02:00 Greg Huber :
> Where the class ExcludedPattern now exists, do we still need to do:
>
>
>name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)
Where the class ExcludedPattern now exists, do we still need to do:
(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*
or just
^action:.*,^method:.*
On 24 Ap
Github user lukaszlenart commented on the pull request:
https://github.com/apache/struts/pull/8#issuecomment-41376393
But then you limit usage of it only to the Convention plugin based
applications. Even with extending DTD and adding `httpMethod` to ``
you will have limitations of usi
Github user jogep commented on the pull request:
https://github.com/apache/struts/pull/8#issuecomment-41374218
The DTD change should not be the problem because it is a compatible change
to previous releases.
The convention plugin applies the default values and all action related
c
Github user lukaszlenart commented on the pull request:
https://github.com/apache/struts/pull/8#issuecomment-41368084
You don't have to use `@Action` annotation to convert class/method into
action, the Convention plugin can do it for you. Another thing is that you can
use wildcard map
Github user jogep commented on the pull request:
https://github.com/apache/struts/pull/8#issuecomment-41367189
Nice, but why not extending the current @Action annotation? May like this:
@Action(value="my-action", httpMethod=GET)
@Action(value="my-action", httpMethod=AL
15 matches
Mail list logo
