[jira] [Commented] (WW-4751) Struts2 should know and consider config time class of user's Actions

Fri, 21 Apr 2017 00:41:26 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15978237#comment-15978237
 ] 

Yasser Zamani commented on WW-4751:
-----------------------------------

WW-4105 nicely fixed by this approach i.e. considering config time class of 
action when copying properties in actions chain :) you can see a [list of 
changes 
here|https://github.com/yasserzamani/struts/commit/e95224f26aa17dad6ad490473b4aeab1d2ceaf79].

Now I am working on Parameters Interceptor. Considering config time class of 
action there, enhances S2 security by preventing proxy information of a proxied 
action to be changed by attacker!

> Struts2 should know and consider config time class of user's Actions
> --------------------------------------------------------------------
>
>                 Key: WW-4751
>                 URL: https://issues.apache.org/jira/browse/WW-4751
>             Project: Struts 2
>          Issue Type: Improvement
>            Reporter: Yasser Zamani
>            Priority: Minor
>             Fix For: 2.5.next
>
>
> I see some issues like WW-4105 , WW-4694 and WW-4498 suffers lack of this 
> information i.e. config time class of user's action.
> I also know future issues like below are possible or potential to occur when 
> Struts2 give Actions up to an object factory and, himself does not know any 
> more about Action's real class (i.e. when user set className to a bean name 
> inside his object factory):
> * JSONResult will fail or will generate ugly json when the action is an AOPed 
> proxy. Because JSONResult tries to generate json from un-relevant information 
> like advices and etc.
> * In a security point of view, someone may successfully change that action 
> proxy or aop information simply by calling that action submitting some named 
> parameters.
> I know these are solvable by enforcing user to specify includes/excludes 
> parameters but more better and beauty approach is as below:
> (proxied action) -> ... -> (some subclass of action) -> ... -> (*user config 
> time specified class*) -> ... -> (some superclass of action) -> ... -> 
> Struts2's ActionSupport -> ...
> If we suppose the above as type hierarchy of the action, knowing *user config 
> time specified class*, Struts2 can exclude all sub-classes above this class 
> and all super classes under and including ActionSupport in all sensitive 
> places to avoid potential future issues.
> What do you think? :)



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to