But i guess its always good to give first preference to strust2 core security check (ie acceptableName check first) as long as struts2 OGNL is vulnerable. Users of strust2 framework should not bypass these default check by mistake by excluding it in acceptableParams.
So i hope the following code will be subtle *acceptableName(name) && (parameterNameAware == null || parameterNameAware.acceptableParameterName(name));* So the check will be strong from security point of view. 1) acceptableName(name) Default check will make sue nobody bypassing strust2 default check knowingly or unknowingly. 2) && This makes Strust2 security check stronger so that user can't bypass 3) (parameterNameAware == null || parameterNameAware.acceptableParameterName(name)) If strust2 default check accepted the parameter then If this action is not ParameterNameAware then return true else if this action is ParameterNameAware then call acceptableParameterName(name), so that the user will understand he can't bypass strust2 default due to strust2 security vulnerability, and he will have the control over some custom parameter he want to bypass (except all default struts2 params). -- View this message in context: http://struts.1045723.n5.nabble.com/Add-to-ParameterNameAware-JavaDoc-Warning-About-Using-tp5713285p5713672.html Sent from the Struts - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
