Github user yasserzamani commented on the issue:
https://github.com/apache/struts/pull/133
> Remember that issue that you've submitted to security list? All actions
are affected. With this proposal bean attribute must be added to every action
configuration in the application.
If this proposal was made user forced to use `bean` attribute for every
action, I myself was first person who rejects it. If you think so, then you are
right to be worry.
Yes I remember the issue which I submitted to security list. Maybe I
misunderstood something but let count it:
1. When action is not a bean, is not proxied, e.g. `<action
class=me.yz.Action1"`: Then
`objectfactory.getInstanceClass(actionCondif.getClassName())` returns
`me.yz.Action1` and my proposal behaves as current S2.
2. When action is not a bean, but is proxied, e.g. `<action
class=me.yz.Action1"` and `<aop:pointcut id=actionExecute
expression=execution(String me.yz.Action1.execute())`: Same as (1)
`objectfactory.getInstanceClass(actionCondif.getClassName())` returns
`me.yz.Action1` and my proposal behaves as current S2.
3. When action is a bean, but is not proxied, e.g. `<action
class=myAction1"` and `<bean name=myAction1 class=me.yz.Action1`: Same as (1)
`objectfactory.getInstanceClass(actionCondif.getClassName())` returns
`me.yz.Action1` and my proposal behaves as current S2.
4. AND When action is a bean, and is proxied, e.g. `<action
class=myAction1"` and `<bean name=myAction1 class=me.yz.Action1` and
`<aop:pointcut id=actionExecute expression=execution(String
me.yz.Action1.execute())`: Here
`objectfactory.getInstanceClass(actionCondif.getClassName())` returns something
different than `me.yz.Action1` and my proposal warns user that runtime and
config time class of the action are not same and recommends the usage of `bean`
attribute i.e. rewrite config to `<action class=me.yz.Action1 bean=myAction1"`.
So only number 4 needs protection and does not fail on not usage of `bean`
and just warns a log. Did I missed something?
Thanks for your time!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
