Thanks again Lukasz,
for question 1) Security issues: can you recommend some
modifications/actions/alterations in maybe certain
parts of the code, any advice on weak points we can focus in regardings
security issues?
for question 2)Prepare interceptor: So there's no way of remove the
"prepare" prefix? Maybe other implementation of
that Interceptor?
At this point my intention is to make a compromise between security and
usability. Right now we are exposed cause we're using
and old version of the framework but on the other hand the refactor
required to comply with the last version it's just too much.
I'm aiming at use the last version 2.3.16 with action.prefix enabled and
try to add security elements in our code in the hope of
preventing attacks.
I know certain data can't be shared though this mailing list as it would
expose vulnerabilities, maybe we can talk through
other chanel, personal email maybe? It would really help us if you could
tell me some guidelines.
Your help would be greatly appreciated.
Thanks again for everything, cheerz.
El 29/01/2014 17:18, Lukasz Lenart escribió:
2014-01-29 Manuel López Blasi <lopezbl...@conicet.gov.ar>:
1) Having the action.prefix enabled there's no intereference in the
securyity fixes introduced in the last versions, it should be all fully
working isn't it?
We have Dynamic Method Invocation disabled.
No, action: prefix can be dangerous but it depends on security model
implemented inside actions and application. I cannot share more on
public mailing list to not disclose security vulnerability.
2) Whe a button is clicked so it fires the method specified en the action
attribute of the s:submit tag it seems that it looks for the method
"prepareMethod" where Method is the method i specified, it seems that the
prefix "prepare" is appended. Is there a way to override or disable this
appending?
Same goes for the method validate, it is looking for "prepareValidate" , i
need to get rid of those appendings, since otherwise we would need to make a
huge refactor of
method namings in the project.
It is because of prepare interceptor which is included in stack you
are using. Basically prepareXXX is called to prepare action for
execution of desired method.
http://struts.apache.org/release/2.3.x/docs/prepare-interceptor.html
Regards
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
