July 2007 10:14 AM
To: 'dev@struts.apache.org'
Subject: RE: [ANN] Struts 2.0.9 General Availability Release with
Important Security Fix
Hi guys,
I have a question about the implementation of this security fix - I'm
worried that it may break something that I rely on.
SHORT VERSIO
stead write java code that calls the various struts
validators directly)
Anyway, just my 2c
Perryn
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Ted Husted
Sent: Wednesday, 25 July 2007 1:13 PM
To: Struts Developers List
Subject: Re: [ANN] Struts 2.0.9 Gener
ANN] Struts 2.0.9 General Availability Release with
Important Security Fix
On 7/24/07, Don Brown <[EMAIL PROTECTED]> wrote:
> As to how we could support your use case, I'm not sure. Perhaps you
could
> use a JSP EL expression to resolve the field name as I believe JSP EL
is
> evaluated bef
On 7/24/07, Don Brown <[EMAIL PROTECTED]> wrote:
As to how we could support your use case, I'm not sure. Perhaps you could
use a JSP EL expression to resolve the field name as I believe JSP EL is
evaluated before Struts gets a hold of it.
Another avenue might be to expose the fieldnames object
My guess is no, that will no longer work. This is because Struts
automatically surrounds whatever you put in that attribute with '%{}'.
Therefore, your input field:
Will actually be evaluated as if it was:
The relevant lines of code are in UIBean.java starting at 727 or so:
On 7/24/07, Fowler, Perryn <[EMAIL PROTECTED]> wrote:
So, my question (finally) is, will this still work with the security
fix?
If it doesn't, I'd like to see us support your approach directly in
some other fashion.
-Ted.
-
T
Hi guys,
I have a question about the implementation of this security fix - I'm
worried that it may break something that I rely on.
SHORT VERSION
Does this fix prevent recursive evaluation when generating the
HTML 'name' attribute as well as the 'value' attribute?
LONG VERSION
As I und