[jira] Commented: (WW-2316) Ability to prevent method:METHOD_NAME access

Mon, 12 Nov 2007 18:28:04 -0800 

    [ 
https://issues.apache.org/struts/browse/WW-2316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42635
 ] 

Dave Newton commented on WW-2316:
---------------------------------

Was the general philosophy of WW that "a public action in an action is always 
available to an app user"?

If so, methods that don't want to be exposed can just be made private 
(protected?).

If you're using an action method from somewhere else in the app then perhaps it 
belongs somewhere else anyway.

Privilege checks would have to be done either in the method or through an 
interceptor, and they'd only be on public methods.

> Ability to prevent method:METHOD_NAME access
> --------------------------------------------
>
>                 Key: WW-2316
>                 URL: https://issues.apache.org/struts/browse/WW-2316
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Dispatch Filter
>    Affects Versions: 2.0.11, 2.1.0
>            Reporter: Dale Newfield
>             Fix For: 2.1.1
>
>
> In order to allow multiple form submission buttons result in different 
> behavior based on the button pressed, a specially named parameter is included 
> in the form submission that instructs the ActionMapper to call a method 
> indicated in the URL.  This special parameter can be used to implement a 
> credential escalation attack, though:  If a user has suffiicient credentials 
> to call a single method on an action, this provides a mechanism whereby they 
> could call any method on that action.  The "action!method.do" capability 
> introduces a similar vulnerability, and the "allowDynamicMethodCalls" option 
> closes that hole.  Besides needing to provide a different mechanism to allow 
> different form submission buttons to do different things, is there a large 
> downside to using this same option ("allowDynamicMethodCalls") to close this 
> hole as well?
> (Just to be explicit, that solution would wrap "if (allowDynamicMethodCalls) 
> {" and "}" around lines 186-188 in 
> org.apache.struts2.dispatcher.mapper.DefaultActionMapper.java .)
> http://www.nabble.com/forum/ViewPost.jtp?post=13710147&framed=y
> http://www.nabble.com/forum/ViewPost.jtp?post=13711925&framed=y

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to