Dear Miguel! Thank you very much for your thoughts on the problem and your feedback! Keep the good work up!
Al the best! krassen Am 26.11.13 10:19, schrieb Miguel Almeida: > Picking up on this topic, I noticed that disabling this feature will > break any JSPs where you've set the action in the <s:submit> tag instead > of the <s:form> tag. > > This is particularly problematic in situations where for some reason > you have one form with two submit tags, since the submit is the only > place where you can distinguish the actions. > > This can also be related with a similar situation in s2-019, where the > disabling of the DMI makes the method="" parameter of the tags unusable. > > I've learnt that this will be better handled in a future version of > struts, so my assumption is that the normal behaviour will return in > both situations on a future non-security release - hopefully the next > one! Maybe someone from the dev team can share their input with us? > > > Kind regards, > Miguel Almeida > > On Wed, 2013-11-20 at 04:33 +0100, Krassen Deltchev wrote: > >> Dear Struts2 mailing list, >> >> i have the following question(s)/ i need the following advice: >> by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to: >> http://struts.apache.org/release/2.3.x/docs/s2-018 >> for security reasons, >> but i need to set it back to true(i.e. the >> struts.mapper.action.prefix.enabled) because my actions do not work >> after the library update and if i decide to go another way to solve this >> issue, i need to do a lot of refactoring on my code; >> So my question is: >> if i enable the "action:" prefix, does it mean that, i automatically >> compromise/expose my application to the security issues discussed in >> s2-16, s2-17 and s2-18? >> Is there a workaround for my scenario, that i can enable the prefix, but >> still maintain the security level of my application considering the >> enumerated above issues?(can i achieve better results if i tweak >> properly the struts.mapper.action.prefix.crossNamespaces) >> >> many thanks for your opinions and support! >> >> Best, >> >> krassen > > > -- Krassen Deltchev M.Sc. Applied Computer Science, Ruhr-University of Bochum LPIC I http://www.xing.com/profile/Krassen_Deltchev http://de.linkedin.com/pub/krassen-deltchev/22/632/12 http://www.slideshare.net/test2v https://twitter.com/#!/test2v --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
