Moved from user list.
Dale Newfield wrote:
"?method:MY_METHOD_NAME"
Is there any way to restrict which methods are valid there, or to
turn this capability off?
Reading the source
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.java?view=markup
indicates the answer is "no".
I propose adding a check for "allowDynamicMethodCalls" in this code as
well (which if not set would effectively ignore the parameter). I
recognize that this may break some functionality (namely alternate
submit buttons in forms), but as this is really a vulnerability, I think
it is important to address...
...and we could regain the submit button functionality with javascript
that changes the form submission action url...
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
