2013/10/16  <yuki.sugawara...@hitachi-systems.com>:
> Thanks Lukasz.
> This is not a vote, but additional questions.
>
> https://cwiki.apache.org/confluence/display/WW/S2-018
>> After upgrading to Struts 2.3.15.3, applications using the "action:" will 
>> stop working.
>
> We still want the "action:" works if possible, so we have added
>
> * struts.mapper.action.prefix.enabled
> * struts.mapper.action.prefix.crossNamespaces
>
> into struts.properties (or struts.xml) and set their value true as suggested 
> as "Backward Compatibility".
> But "action:" did not seem to work under 2.3.15.3 environment against our 
> expectation.
> (Not 404 error like 2.3.15.2, but transit to the same page.)
>
> (Q1) Are those additional constants effective as mentioned in new S2-018?
> (Q2) Assume that the backward compatibility works, can we expect that 
> applying 2.3.15.3 with setting the additional constants true is still 
> valuable as a solution to the problem "Broken Access Control Vulnerability" 
> targeted in S2-018?

Are you sure? I have just tested (again) with struts2-blank and it
works as expected. You must have some strange configuration.

    <constant name="struts.mapper.action.prefix.enabled" value="true"/>
    <constant name="struts.mapper.action.prefix.crossNamespaces" value="true"/>

And I suggest to leave "struts.mapper.action.prefix.crossNamespaces" disabled.


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to