brianandle commented on code in PR #559:
URL: https://github.com/apache/struts/pull/559#discussion_r891898052
##########
core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java:
##########
@@ -354,7 +407,86 @@ protected boolean isExcluded(String paramName) {
}
return false;
}
+
+ public void setAcceptedValuePatterns(String commaDelimitedPatterns) {
Review Comment:
My concern would be the regression impact. I would sure hope that Struts
users aren't ever expecting users to pass in params with values with %{} and
${} but that level of change seems best to include with a major (which
ironically I just missed).
I do think we could prevent an entire attack vector by excluding %{} and ${}
in param values but again I'd be worried about the regression impact.
If the Struts team wants to do that I wouldn't object but I wasn't going to
go that far on my own.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
