pon., 25 mar 2024 o 10:00 Greg Huber <gregh3...@gmail.com> napisał(a): > > OK great. More of a chance of it being read 🙂.
Thanks, merged > I guess this new version includes all the "old versions" security stuff > from past issues, and is not a new code base. Yes, it only uses a different mechanism to pass uploaded files from within the interceptor to an action. > As the old one is deprecated, and we all rush and upgrade, their may be > more resources put in trying to break it. Maybe better to wait a bit > before upgrading? The new approach directly addresses all the previous vulnerabilities where the attacker was able to manipulate the file upload process by overriding parameters via setters. Migrating to this new mechanism is safer than staying with the old mechanism. Even if a new vulnerability will be discovered it will be way easier to fix it as your actions depend on the interface only. Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
