DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25649>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25649 DOS attack by making DispatchAction recurse on execute() [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Additional Comments From [EMAIL PROTECTED] 2003-12-23 11:09 ------- Hi, - I just have a look at the fix for the DOS attack, and in the CVS I'm affraid there is a mistake in it. The fix check the name of the dispatch parameter (which can be "reqCode" for request code) instead of the name of the method to call. I think the code should be: // Get the method's name. This could be overridden in subclasses. String name = getMethodName(mapping, form, request, response, parameter); // Check the method name if ("execute".equals(name) || "perform".equals(name)) { // throw exception and log error message. } // Invoque the named method. Please check the patch I submitted for the complete code. - Will it be possible for the struts developpers to make shortly a maintenance release of struts 1.0 and 1.1 with this fix ? This bug is a major security problem for our clients and all struts users. Many thanks to the developpers for their work. Best regards, Jean-Noel Ribette --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
