[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914085&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914085
]
ASF GitHub Bot logged work on WW-5409:
--------------------------------------
Author: ASF GitHub Bot
Created on: 11/Apr/24 05:09
Start Date: 11/Apr/24 05:09
Worklog Time Spent: 10m
Work Description: jefferyxhy commented on code in PR #914:
URL: https://github.com/apache/struts/pull/914#discussion_r1560440790
##########
core/src/main/resources/struts-6.4.0.dtd:
##########
@@ -0,0 +1,158 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+-->
+<!
Issue Time Tracking
-------------------
Worklog Id: (was: 914085)
Time Spent: 40m (was: 0.5h)
> Introduce final attribute to package elements which makes them unextendable
> ---------------------------------------------------------------------------
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
> <package name="package1">
> <default-interceptor-ref name="adminOnly"/>
> <action name="action1" class="Action1">
> <result name="success" />
> </action>
> </package>{code}
> If it is extended by another package like so:
> {code:xml}
> <package name="package2" extends="package1">
> <default-interceptor-ref name="authenticatedOnly"/>
> <action name="action2" class="Action2">
> <result name="success" />
> </action>
> </package> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
> <package name="package1" final="true">
> <default-interceptor-ref name="adminOnly"/>
> <action name="action1" class="Action1">
> <result name="success" />
> </action>
> </package>{code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
