[
https://issues.apache.org/jira/browse/WW-3538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12966219#action_12966219
]
John Lindal commented on WW-3538:
---------------------------------
DMI can be quite useful. That's why it was added :)
The right solution is to provide access control. In my hacked version of
2.2.1, I use a whitelist configuration, so only functions explicitly added to
the whitelist can be invoked. (execute is the exception, since it is the
default.)
Let me know if you want me to contribute patches for this. It requires a
change to the DTD so the whitelist can be configured for each action.
> Remove Dynamic Method Invocation
> --------------------------------
>
> Key: WW-3538
> URL: https://issues.apache.org/jira/browse/WW-3538
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
> Affects Versions: 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8,
> 2.0.9, 2.0.10, 2.0.11, 2.0.11.1, 2.0.11.2, 2.0.12, 2.0.13, 2.0.14, 2.1.0,
> 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.8, 2.1.8.1, 2.2.1, 2.2.1.1
> Reporter: Lukasz Lenart
> Assignee: Lukasz Lenart
> Fix For: 2.3
>
>
> In all current Struts 2 version you can use Dynamic Method Invocation to call
> particular public Action's method use syntax:
> /actionname!methodname
> It can be disabled by defining constant struts.enable.DynamicMethodInvocation
> = false
> The idea is to totally remove such functionality from the project.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
