[
https://issues.apache.org/jira/browse/ROL-2058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14375471#comment-14375471
]
Kohei Nozaki commented on ROL-2058:
-----------------------------------
I created a couple of new issues so that we can talk about it further:
[ROL-2068 - Error setting expression 'salt' with value \['...', \] in
struts.devMode=true|https://issues.apache.org/jira/browse/ROL-2068]
[ROL-2069 - Improvement of salt
processing|https://issues.apache.org/jira/browse/ROL-2069]
As to ROL-2068 I believe we can just add an no-op method, but as to ROL-2069 I
think we need to talk some about it further.
> No salt renewal on POST request
> -------------------------------
>
> Key: ROL-2058
> URL: https://issues.apache.org/jira/browse/ROL-2058
> Project: Apache Roller
> Issue Type: Bug
> Components: User Interface - General
> Affects Versions: 5.1.1
> Environment: WildFly 8.2.0.Final
> Reporter: Kohei Nozaki
> Assignee: David Johnson
> Fix For: 5.1.2
>
> Attachments: ROL-2058.patch
>
>
> Roller continues using previous salt value which sent from client as POST
> parameter. this leads fixing of salt value in the form element of html, and
> brings ServletException("Security Violation") by ValidateSaltFilter at some
> use cases (e.g. long-term editing over 60 minutes) unexpectedly.
> Seems to that the cause is existence of
> org.apache.roller.weblogger.ui.struts2.util.UIAction#setSalt(String) method.
> this overwrites salt with previous value which sent by client as POST
> parameter. it's unnecessary behavior because new salt value comes through
> preceding invocation of UIAction#setRequest(Map).
> Original discussion in the mailing list:
> http://markmail.org/search/?q=list%3Aorg.apache.roller.user#query:list%3Aorg.apache.roller.user+page:1+mid:tnqn4qjuwmwun4oh+state:results
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
