Dear Bruce, I checked the tag strict-method-invocation, but <package name="default" extends="struts-default" namespace="/" strict-method-invocation="true" > </package> But it is not working for me .Give me some sample codes -----Original Message----- From: Łukasz Lenart [mailto:lukasz.len...@googlemail.com] Sent: Friday, December 16, 2011 12:43 PM To: Struts Users Mailing List Subject: Re: Dynamic Method Invocation Changes In Struts 2.3.1 Release
Thanks Bruce, I'm checking that right now, give me some time Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ 2011/12/15 bphill...@ku.edu <bphill...@ku.edu>: > I'd previously > http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation > blogged about the security vulnerability that exists when Struts dynamic > method invocation is not disabled. I was happy to learn that this > vulnerability was addressed in the 2.3.1 release. > > However, after adding the strict-method-invocation="true" to my package > statement a user of my example application is still able to execute any > public method (for example getPassword) of the action class. > > I'm following the > http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation > instructions here that state to add strict-method-invocation="true" to the > package statement to prevent dynamic method invocation from executing any > method except the method specified in the method attribute of the action. > > You can download the example application from my > http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation > blog post to see how I tested the 2.3.1 release and dynamic method > invocation. See the readme file in the download for instructions on how to > build and deploy the example. > > Have I missed some additional configuration that must be done to prevent > dynamic method invocation from allowing the user to execute methods besides > the method specified in the action's method attribute? > > Thank you for the assistance. > > -- > View this message in context: > http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html > Sent from the Struts - User mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
