[jira] [Commented] (WW-4849) ObjectFactory constructor signature change breaks extensions

Tue, 05 Sep 2017 23:12:17 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16154858#comment-16154858
 ] 

Mitth'raw'nuruodo commented on WW-4849:
---------------------------------------

Sorry, I don't think I understand your reply properly.

"just drop in the plugin itself" - I'm not sure what you mean here. The 
{{guice-servlet}} plugin (part of the Guice project) is no longer compatible 
with Struts as of release 2.5.13 due to the signature change. And I'm not sure 
that it can be made compatible, since it's supposed to somehow take a no-arg 
constructor and yet pass a Container to its superclass. That doesn't seem right 
to me. How is anyone supposed to correctly extend {{ObjectFactory}} now?

"there was no other way to fix the vulnerability" - Commit 
{{6f91d0776a545c911ca4f2875ed9976614711ef9}} didn't even reference any JIRA 
issues. If it really was crucial to fixing vulnerabilities, it probably should 
have been better documented. And is it really such a big problem to have a 
no-arg constructor in {{ObjectFactory}}? I haven't been able to find detailed 
documentation of the potential attack payloads, so I'm not clear on this.


> ObjectFactory constructor signature change breaks extensions
> ------------------------------------------------------------
>
>                 Key: WW-4849
>                 URL: https://issues.apache.org/jira/browse/WW-4849
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.5.13
>            Reporter: Mitth'raw'nuruodo
>             Fix For: 2.5.14
>
>
> Commit {{6f91d0776a545c911ca4f2875ed9976614711ef9}} changed the signature of 
> the {{ObjectFactory}} constructor, breaking all classes that extend 
> {{ObjectFactory}} (as per https://struts.apache.org/docs/objectfactory.html). 
> This affects eg the [{{guice-servlet}} Struts plugin| 
> https://github.com/google/guice/blob/master/extensions/struts2/src/com/google/inject/struts2/Struts2Factory.java].
> This was not listed on the [2.5.13 version 
> notes|https://struts.apache.org/docs/version-notes-2513.html] as a breaking 
> change, and breaking changes should preferably be avoided in critical 
> security updates.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to