Github user aleksandr-m commented on the issue:
https://github.com/apache/struts/pull/133
> Not every.
Remember that issue that you've submitted to security list? All actions are
affected. With this proposal `bean` attribute must be added to every action
configuration in the application.
> No, I think about S2 borders. I'm trying to discuss that S2 should or
should not know the config time class of the action and then do not operate
outside of that border.
Mostly it is job of the application developer to protect sensitive data
(e.g. not writing setter for `secretToken` property :), excluding some
parameters, etc.). The real problem is that for proxied stuff it is somehow
obscure.
> As I mentioned, when user uses class attribute as a bean name, S2 cannot
know the action configuration class in any clean way.
Even if it is not a spring bean name then it can still be affected.
They are good enough to handle most of the cases and they can be combined
to achieve better results.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
