2014-08-07 11:43 GMT+02:00 Fabian Richter <frich...@mtg.de>: > Hey, > > we are wondering why struts params interceptor excludes > > ^application\..* > > as a parameter? > > To what kind of vulernatbilities would we open our applications if we allow > parameters starting with application to be set by struts?
It's the same as session param - but you have access to the whole ServletContext Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
