Details
Description
- Issue: addition of a 'org.apache.struts.taglib.html.Constants.CANCEL'
parameter to any request will cause validation to be skipped, but the rest of
the request processing / action invocation cycle to proceed normally
- Consequence: any action which proceeds assuming that validation has completed
successfully and which doesn't explicitly check isCanceled() is proceeding on a
broken assumption.
The discussion of this issue began in the struts-user list:
http://mail-archives.apache.org/mod_mbox/struts-user/200601.mbox/%3c20060121221800.15814.qmail@web32607.mail.mud.yahoo.com%3e
The thread continued in struts-dev list:
http://mail-archives.apache.org/mod_mbox/struts-dev/200601.mbox/%3cdr169r$623$2@sea.gmane.org%3e
Most people have agreed that this is a security-related issue.