2013/7/13 Przemysław Celej <p-ce...@o2.pl>: > Hi, > > Recently we had to update Struts2 to most recent version due to security > issues. After update we've noticed some strange behaviour, in my > application every action implements ParameterNameAware interface, till > yesterday I thought that interface's method acceptableParameterName() is > called _everytime_ the Struts tries to set a parameter, and that was the > case till Struts 2.3.7 came out, I found that now the method is called > _only_ if parameter's name is not allowed by Strut's configuration (see > ParametersInterceptor class comparison: [1] [2]). This behaviour allows > manipulating internal action's properties whose name met configuration > patterns - in practice, in most application this allows accessing bussiness > logic layer that shouldn't be accessed by users in any way. What is worse, > there is not mention in version notes for 2.3.7 [3] about this change.
This was already pointed out and resolved in [1] and description of ParametersInterceptor was also extended [2]. You can always return to the old behaviour overriding isAcceptableParameter() in ParametersInterceptor. I'm wondering if changing order of execution (ie. return (parameterNameAware != null && parameterNameAware.acceptableParameterName(name) || acceptableName(name));) would be better? Or maybe revert to the old behaviour? [1] http://struts.apache.org/release/2.3.x/docs/version-notes-2312.html [2] http://struts.apache.org/release/2.3.x/docs/parameters-interceptor.html Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
