For those not following the ticket, I've written unit tests that
verify this is not an issue. Private variables and protected accessor
methods are not accessed by the ParametersInterceptor, which is the
piece that translates request parameters to method calls.
As always, this is a good time to re
Hello.
I posted this issue to JIRA.
Thank you for your advice, Phil and Jim.
I atached a sample.
A action named SessionUser has no public getSession(), but this
problem is caused.
I think that it is necessary to fix this.
>>> it seems that Hisato Killing
>>> (or Tatekura Hisato, who knows? :-
Hi all!
To all developers that may not have noticed it, it seems that Hisato Killing
(or Tatekura Hisato, who knows? :-) ) found a possible security bug:
https://issues.apache.org/struts/browse/WW-2264
I think that we should move on fixing (if necessary) this bug, and, after
that, prepare a fast-tr
Is that a desirable behavior for OGNL (accessing private fields)? It
seems this could open up a lot of issues, beyond just the session. If
I don't want something readable or settable from a form, making it
protected or private makes sense to me. Now if only it actually
worked that way!
Pe
I guess I assumed people had thought of this during
the OGNL submission fiesta :(
Would it be quick and sufficient to include a
parameter filter interceptor to disallow ActionSupport
- implemented interface methods?
d.
--- Tom Schneider <[EMAIL PROTECTED]> wrote:
> No because OGNL can access th
No because OGNL can access the private Session variable directly. (I
noticed this behavior when I was fixing a race condition) It first
tries to call the get(), if that fails, then it will turn on
reflection accessibility and access the variable directly.
On 10/17/07, Jim Cushing <[EMAIL PROTECT
I haven't tested this, but is the problem solved by making your
getSession() method protected, instead of public? The SessionAware
interface only requires a public setSession() method. If you haven't
defined a getSession() method, or if it's already protected, then I
suggest you file a JIRA
On 10/17/07, Hisato Killing <[EMAIL PROTECTED]> wrote:
> Hello.
>
> I'm sorry. Information that I had sent seems to have been insufficient.
>
> 1.This problem is caused in struts 2.0.9 and others perhaps.
>
> In that case, it is assumed that it is as follows.
> i. SomeAction is implements SessionAw
Hello.
I'm sorry. Information that I had sent seems to have been insufficient.
1.This problem is caused in struts 2.0.9 and others perhaps.
In that case, it is assumed that it is as follows.
i. SomeAction is implements SessionAware.
ii. And It is defined in struts-default.
iii. devMode is true o
Hello.
I found the following.
http://example.com/SomeAction.action?session.somekey=someValue
This request rewrites the session.
Does this become a security hole?
Thanks.
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROT
10 matches
Mail list logo
