[
https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13564130#comment-13564130
]
Christoph Lenggenhager commented on WW-3973:
--------------------------------------------
Agreed. Before 2.3.7, you could define a strict policy in the configuration and
let the developers of actions allow a set of parameters that follow the defined
"global" rules. This is now not possible any longer.
I just think that the change is slightly dangerous for users relying on both
mechanisms (configuration and ParameterNameAware actions) to validate their
parameter list and that it should not be introduced in a point release without
any heads up. This is why I raised the issue.
> WW-3866 overrides ParameterNameAware decision with interceptor settings
> -----------------------------------------------------------------------
>
> Key: WW-3973
> URL: https://issues.apache.org/jira/browse/WW-3973
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.7
> Reporter: Christoph Lenggenhager
> Fix For: 2.3.9
>
>
> The fix for WW-3866 (Revision 1379386) changes the logic for acceptable
> parameter names from
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line
> 282ff.}
> boolean acceptableName = acceptableName(name)
> && (parameterNameAware == null ||
> parameterNameAware.acceptableParameterName(name));
> {code}
> to
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line
> 282ff.}
> boolean acceptableName = acceptableName(name)
> || (parameterNameAware != null &&
> parameterNameAware.acceptableParameterName(name));
> {code}
> This might impose a security risk if implementations relied on their actions
> for parameter name validation (e.g. by explicitly whitelisting parameters).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
