AliasInterceptor does not set setDenyMethodExecution()
------------------------------------------------------
Key: WW-3214
URL: https://issues.apache.org/struts/browse/WW-3214
Project: Struts 2
Issue Type: Bug
Components: Core Interceptors
Affects Versions: 2.1.7, 2.1.6
Reporter: Jasper Rosenberg
Fix For: 2.0.15, 2.1.8
There are actually a lot of issues with AliasInterceptor:
1. It injects the aliased parameter without first setting
ReflectionContextState.setDenyMethodExecution(contextMap, true). This is a
security issue.
2. It doesn't handle conversion errors
3. It doesn't set setCreatingNullObjects(contextMap, true) like all other
parameter injecting interceptors
4. It uses a different instance of the parameter map than all of the other
parameter related interceptors (stack.getContext().get("parameters") rather
than ac.getParameters())
5. It doesn't offer an option to not inject the other parameters later on (in
other words if I alias A to B, the contents of A gets injected twice once as A,
and once as B assuming I have ParameterInterceptor in the stack too and haven't
explicitly filtered out A.) This is more of an enhancement request of course.
My 2 cents is that the AliasInterceptor should just be deprecated, and the
ability to alias a parameter should just be moved to ParameterInterceptor. It
would be nice too because, if you made static parms also extend parms
(WW-3213), then all three parameter injecting interceptors would support
aliasing. That would be a nice consistency, and useful now that static-parms
can be set by wildcards. Issue 5. could be more easily implemented from within
the main parms interceptor as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
