[jira] [Created] (WW-3973) WW-3866 overrides ParameterNameAware decision with interceptor settings

Christoph Lenggenhager (JIRA) Tue, 22 Jan 2013 08:24:15 -0800

Christoph Lenggenhager created WW-3973:
------------------------------------------


             Summary: WW-3866 overrides ParameterNameAware decision with 
interceptor settings
                 Key: WW-3973
                 URL: https://issues.apache.org/jira/browse/WW-3973
             Project: Struts 2
          Issue Type: Bug
    Affects Versions: 2.3.7
            Reporter: Christoph Lenggenhager


The fix for WW-3866 (Revision 1379386) changes the logic for acceptable 
parameter names from

{code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 
282ff.}
        boolean acceptableName = acceptableName(name)
                 && (parameterNameAware == null || 
parameterNameAware.acceptableParameterName(name));
{code}

to

{code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 
282ff.}
        boolean acceptableName = acceptableName(name)
                 || (parameterNameAware != null && 
parameterNameAware.acceptableParameterName(name));
{code}

This might impose a security risk if implementations relied on their actions 
for parameter name validation (e.g. by explicitly whitelisting parameters).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Created] (WW-3973) WW-3866 overrides ParameterNameAware decision with interceptor settings

Reply via email to