2013/10/16 <yuki.sugawara...@hitachi-systems.com>: > Thanks Lukasz. > This is not a vote, but additional questions. > > https://cwiki.apache.org/confluence/display/WW/S2-018 >> After upgrading to Struts 2.3.15.3, applications using the "action:" will >> stop working. > > We still want the "action:" works if possible, so we have added > > * struts.mapper.action.prefix.enabled > * struts.mapper.action.prefix.crossNamespaces > > into struts.properties (or struts.xml) and set their value true as suggested > as "Backward Compatibility". > But "action:" did not seem to work under 2.3.15.3 environment against our > expectation. > (Not 404 error like 2.3.15.2, but transit to the same page.) > > (Q1) Are those additional constants effective as mentioned in new S2-018? > (Q2) Assume that the backward compatibility works, can we expect that > applying 2.3.15.3 with setting the additional constants true is still > valuable as a solution to the problem "Broken Access Control Vulnerability" > targeted in S2-018?
Are you sure? I have just tested (again) with struts2-blank and it works as expected. You must have some strange configuration. <constant name="struts.mapper.action.prefix.enabled" value="true"/> <constant name="struts.mapper.action.prefix.crossNamespaces" value="true"/> And I suggest to leave "struts.mapper.action.prefix.crossNamespaces" disabled. Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org