[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914325&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914325
]
ASF GitHub Bot logged work on WW-5409:
--------------------------------------
Author: ASF GitHub Bot
Created on: 12/Apr/24 06:06
Start Date: 12/Apr/24 06:06
Worklog Time Spent: 10m
Work Description: jefferyxhy commented on code in PR #914:
URL: https://github.com/apache/struts/pull/914#discussion_r1562054799
##########
core/src/main/java/org/apache/struts2/config/StrutsXmlConfigurationProvider.java:
##########
@@ -54,6 +54,7 @@ public class StrutsXmlConfigurationProvider extends
XmlConfigurationProvider {
put("-//Apache Software Foundation//DTD Struts Configuration 2.3//EN",
"struts-2.3.dtd");
put("-//Apache Software Foundation//DTD Struts Configuration 2.5//EN",
"struts-2.5.dtd");
put("-//Apache Software Foundation//DTD Struts Configuration 6.0//EN",
"struts-6.0.dtd");
+ put("-//Apache Software Foundation//DTD Struts Configuration
6.5.0//EN", "struts-6.5.0.dtd");
Review Comment:
Yeah. It make sense. I've updated the naming accordingly. Thanks.
Issue Time Tracking
-------------------
Worklog Id: (was: 914325)
Time Spent: 1h (was: 50m)
> Introduce final attribute to package elements which makes them unextendable
> ---------------------------------------------------------------------------
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
> <package name="package1">
> <default-interceptor-ref name="adminOnly"/>
> <action name="action1" class="Action1">
> <result name="success" />
> </action>
> </package>{code}
> If it is extended by another package like so:
> {code:xml}
> <package name="package2" extends="package1">
> <default-interceptor-ref name="authenticatedOnly"/>
> <action name="action2" class="Action2">
> <result name="success" />
> </action>
> </package> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
> <package name="package1" final="true">
> <default-interceptor-ref name="adminOnly"/>
> <action name="action1" class="Action1">
> <result name="success" />
> </action>
> </package>{code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
