Github user yasserzamani commented on the issue:
https://github.com/apache/struts/pull/118
@lukaszlenart , @aleksandr-m , thank you for your comments. Today I did not
have enough time to prepare more dangerous security issue example but until I
prepare one in comming days, please consider the following example:
Simply, I created an action with json result and with Spring's
Transactional annotation (please consider that I know transactional actions are
not good practice but it's an example, the Struts2 user may use any unknown 3rd
party annotation **assuming Struts2 only operates in his borders rather than
overlapping other technologies like Spring**, the user may not get any
exception or error and so, may not check the generated json, but Struts2 emits
also his objects information to hackers by json result).
OK, this is the result of http://localhost:7780/springAction1
```json
{
"advisors":[
{
"advice":{
"transactionAttributeSource":{
},
"transactionManager":null
},
"adviceBeanName":"org.springframework.transaction.interceptor.TransactionInterceptor#0",
"order":2147483647,
"perInstance":true,
"pointcut":{
"classFilter":{
},
"methodMatcher":null,
"runtime":false
}
}
],
"callbacks":[ { }, { }, { }, { }, { }, {
}, { }
],
"exposeProxy":false,
"frozen":false,
"preFiltered":true,
"proxiedInterfaces":[
],
"proxyTargetClass":true,
"targetClass":"class
me.zamani.yasser.ww_convention.springactions.springAction1",
"targetSource":{
"static":true,
"target":{
},
"targetClass":"class
me.zamani.yasser.ww_convention.springactions.springAction1"
}
}
```
And this is the result of
http://localhost:7780/springAction1?advisors[0].adviceBeanName=&advisors[0].order=-1&exposeProxy=true&preFiltered=false
```json
{
"advisors":[
{
"advice":{
"transactionAttributeSource":{
},
"transactionManager":null
},
"adviceBeanName":"",
"order":-1,
"perInstance":true,
"pointcut":{
"classFilter":{
},
"methodMatcher":null,
"runtime":false
}
}
],
"callbacks":[ { }, { }, { }, { }, { }, {
}, { }
],
"exposeProxy":true,
"frozen":false,
"preFiltered":false,
"proxiedInterfaces":[
],
"proxyTargetClass":true,
"targetClass":"class
me.zamani.yasser.ww_convention.springactions.springAction1",
"targetSource":{
"static":true,
"target":{
},
"targetClass":"class
me.zamani.yasser.ww_convention.springactions.springAction1"
}
}
```
As you see, I changed something :) and then if I re-get even without any
query string, these changes are persistence :\
Furthermore, json result on Spring AOPed actions simply fails with:
```
org.apache.struts2.json.JSONException:
org.apache.struts2.json.JSONException: org.apache.struts2.json.JSONException:
java.lang.IllegalAccessException: Class org.apache.struts2.json.JSONWriter can
not access a member of class org.springframework.aop.TruePointcut with
modifiers "public"
at org.apache.struts2.json.JSONWriter.bean(JSONWriter.java:269)
at org.apache.struts2.json.JSONWriter.processCustom(JSONWriter.java:197)
at org.apache.struts2.json.JSONWriter.process(JSONWriter.java:182)
at org.apache.struts2.json.JSONWriter.value(JSONWriter.java:143)
at org.apache.struts2.json.JSONWriter.write(JSONWriter.java:110)
at org.apache.struts2.json.JSONUtil.serialize(JSONUtil.java:194)
at
org.apache.struts2.json.JSONResult.createJSONString(JSONResult.java:222)
at org.apache.struts2.json.JSONResult.execute(JSONResult.java:196)
at
com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:373)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:277)
at
org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:253)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:177)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:260)
at
org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:73)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.doIntercept(ConversionErrorInterceptor.java:139)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:133)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:133)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:192)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:69)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
org.apache.struts2.interceptor.DateTextFieldInterceptor.intercept(DateTextFieldInterceptor.java:115)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:88)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:246)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:99)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:139)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:156)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:174)
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
org.apache.struts2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:122)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:171)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:195)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:193)
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:247)
at
org.apache.struts2.factory.StrutsActionProxy.execute(StrutsActionProxy.java:54)
at
org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:564)
at
org.apache.struts2.dispatcher.ExecuteOperations.executeAction(ExecuteOperations.java:81)
at
org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:143)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2430)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2419)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.struts2.json.JSONException:
org.apache.struts2.json.JSONException: java.lang.IllegalAccessException: Class
org.apache.struts2.json.JSONWriter can not access a member of class
org.springframework.aop.TruePointcut with modifiers "public"
at org.apache.struts2.json.JSONWriter.bean(JSONWriter.java:269)
at org.apache.struts2.json.JSONWriter.processCustom(JSONWriter.java:197)
at org.apache.struts2.json.JSONWriter.process(JSONWriter.java:182)
at org.apache.struts2.json.JSONWriter.value(JSONWriter.java:143)
at org.apache.struts2.json.JSONWriter.array(JSONWriter.java:550)
at org.apache.struts2.json.JSONWriter.process(JSONWriter.java:170)
at org.apache.struts2.json.JSONWriter.value(JSONWriter.java:143)
at org.apache.struts2.json.JSONWriter.add(JSONWriter.java:428)
at org.apache.struts2.json.JSONWriter.bean(JSONWriter.java:254)
... 75 more
Caused by: org.apache.struts2.json.JSONException:
java.lang.IllegalAccessException: Class org.apache.struts2.json.JSONWriter can
not access a member of class org.springframework.aop.TruePointcut with
modifiers "public"
at org.apache.struts2.json.JSONWriter.bean(JSONWriter.java:269)
at org.apache.struts2.json.JSONWriter.processCustom(JSONWriter.java:197)
at org.apache.struts2.json.JSONWriter.process(JSONWriter.java:182)
at org.apache.struts2.json.JSONWriter.value(JSONWriter.java:143)
at org.apache.struts2.json.JSONWriter.add(JSONWriter.java:428)
at org.apache.struts2.json.JSONWriter.bean(JSONWriter.java:254)
... 83 more
Caused by: java.lang.IllegalAccessException: Class
org.apache.struts2.json.JSONWriter can not access a member of class
org.springframework.aop.TruePointcut with modifiers "public"
at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:109)
at
java.lang.reflect.AccessibleObject.slowCheckMemberAccess(AccessibleObject.java:261)
at
java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:253)
at java.lang.reflect.Method.invoke(Method.java:599)
at org.apache.struts2.json.JSONWriter.bean(JSONWriter.java:249)
... 88 more
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
