[jira] [Commented] (WW-3973) WW-3866 overrides ParameterNameAware decision with interceptor settings

Lukasz Lenart (JIRA) Mon, 28 Jan 2013 02:43:26 -0800

    [ 
https://issues.apache.org/jira/browse/WW-3973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13564186#comment-13564186
 ]


Lukasz Lenart commented on WW-3973:
-----------------------------------

Yes, but quite often the global restrictions was to restrictive, eg.:
right now acceptedParamNames disallow empty space in param name to avoid remote 
code execution, but you can have a case where you need to have such a parameter 
-> 'car name' - in this case you can obey global restriction with 
ParameterNameAware#acceptableParameterName()

Anyway, what is your proposal? Updating docs with some disclaimer about 
security is enough? Or do you want to have the old behaviour? We can think of 
some switch which will turn the old behaviour on, but thus could be hard to 
understand.
                
> WW-3866 overrides ParameterNameAware decision with interceptor settings
> -----------------------------------------------------------------------
>
>                 Key: WW-3973
>                 URL: https://issues.apache.org/jira/browse/WW-3973
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.7
>            Reporter: Christoph Lenggenhager
>             Fix For: 2.3.9
>
>
> The fix for WW-3866 (Revision 1379386) changes the logic for acceptable 
> parameter names from
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 
> 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  && (parameterNameAware == null || 
> parameterNameAware.acceptableParameterName(name));
> {code}
> to
> {code:title=com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 
> 282ff.}
>         boolean acceptableName = acceptableName(name)
>                  || (parameterNameAware != null && 
> parameterNameAware.acceptableParameterName(name));
> {code}
> This might impose a security risk if implementations relied on their actions 
> for parameter name validation (e.g. by explicitly whitelisting parameters).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (WW-3973) WW-3866 overrides ParameterNameAware decision with interceptor settings

Reply via email to