lukaszlenart commented on PR #663: URL: https://github.com/apache/struts/pull/663#issuecomment-1457617483
> > right now it would be possible to access `ActionContext` out of action, directly from JSP? > > Not clear on what you mean, how so? If the flag is "on" and the request matches excluded urls, the `ActionContext` will be available in non-Struts managed endpoints. By design all the requests should be handled by the actions first and then forwarded into view layer (like JSP or Freemarker) - this also involves the whole security mechanism embedded into _normal_ flow (interceptors). With this change it is possible to overuse this functionality by having an excluded url and still accessing `ActionContext` out of action scope directly from JSP or Freemarker. User is "escaping" from Struts sandbox, yet having option to operate on `ActionContext` like `ActionContext.getContext().getContainer()`. This raises security concerns tbh. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
