2012/2/28 bphill...@ku.edu <bphill...@ku.edu>: > Lukasz - I agree with you, but until a new version of Struts 2 is released > that includes a fix for this vulnerability, I'd like to tell Struts 2 > developers what to do when implementing the SessionAware interface to > mitigate the vulnerability. > > If you could look over what I wrote in the initial post and provide any > feedback on that I'd certainly appreciate your comments.
Your proposal is fair enough, and maybe adding also a note about changing excludeParams (as in WW-3631) to solve the problem completely, as it's better to make a change in one place and not to implement the same interface over and over (ParameterNameAware) Regards -- Łukasz Mobile +48 606 323 122 Office +27 11 0838747 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
