[
https://issues.apache.org/jira/browse/WW-5468?focusedWorklogId=937732&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-937732
]
ASF GitHub Bot logged work on WW-5468:
--------------------------------------
Author: ASF GitHub Bot
Created on: 12/Oct/24 12:04
Start Date: 12/Oct/24 12:04
Worklog Time Spent: 10m
Work Description: kusalk opened a new pull request, #1072:
URL: https://github.com/apache/struts/pull/1072
WW-5468
--
The `@StrutsParameter` requirement was designed to protect against arbitrary
getters and setters on the Action class from being invoked by users and/or
attackers. However, if an Action is using a dedicated model object alongside
the `ModelDrivenInterceptor` (which ensures the Action is not on the root of
the value stack) much of this risk is mitigated. I suggest we exempt this
specific scenario from requiring the `@StrutsParameter` annotation.
Issue Time Tracking
-------------------
Worklog Id: (was: 937732)
Time Spent: 1.5h (was: 1h 20m)
> ModelDriven is not compatible with @StrutsParameter
> ---------------------------------------------------
>
> Key: WW-5468
> URL: https://issues.apache.org/jira/browse/WW-5468
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 7.0.0
> Reporter: Lukasz Lenart
> Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Currently if a Struts webapp uses {{ModelDriven<T>}} it won't be possible to
> use {{@StrutsParameter}} annotation on {{#getModel()}} getter.
> Use rest-angular as example
> https://github.com/apache/struts-examples/blob/master/rest-angular/src/main/resources/struts.xml#L13
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
