Hi,
Recently we had to update Struts2 to most recent version due to security
issues. After update we've noticed some strange behaviour, in my
application every action implements ParameterNameAware interface, till
yesterday I thought that interface's method acceptableParameterName() is
called _everytime_ the Struts tries to set a parameter, and that was the
case till Struts 2.3.7 came out, I found that now the method is called
_only_ if parameter's name is not allowed by Strut's configuration (see
ParametersInterceptor class comparison: [1] [2]). This behaviour allows
manipulating internal action's properties whose name met configuration
patterns - in practice, in most application this allows accessing
bussiness logic layer that shouldn't be accessed by users in any way.
What is worse, there is not mention in version notes for 2.3.7 [3] about
this change.
Please consider writing "version notes" more carefully when you doing
such changes, I'm sure that most developers who rely on
ParameterNameAware inteface doesn't know that in recent versions of
Struts this behaviour has changed.
Thank you.
[1]
http://grepcode.com/file/repo1.maven.org/maven2/org.apache.struts.xwork/xwork-core/2.3.4.1/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java?av=f#280
[2]
http://grepcode.com/file/repo1.maven.org/maven2/org.apache.struts.xwork/xwork-core/2.3.7/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java/#282
[3] http://struts.apache.org/release/2.3.x/docs/version-notes-237.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
