[STR-2742] Validation always skipped with Globals.CANCEL_KEY - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.2.8
Fix Version/s: 1.2.9
Component/s: Core
Labels:
None
Environment:
Operating System: other
Platform: Other

Bugzilla Id:
38374

Description

Issue: addition of a 'org.apache.struts.taglib.html.Constants.CANCEL'
parameter to any request will cause validation to be skipped, but the rest of
the request processing / action invocation cycle to proceed normally

Consequence: any action which proceeds assuming that validation has completed
successfully and which doesn't explicitly check isCanceled() is proceeding on a
broken assumption.

The discussion of this issue began in the struts-user list:
http://mail-archives.apache.org/mod_mbox/struts-user/200601.mbox/%3c20060121221800.15814.qmail@web32607.mail.mud.yahoo.com%3e

The thread continued in struts-dev list:
http://mail-archives.apache.org/mod_mbox/struts-dev/200601.mbox/%3cdr169r$623$2@sea.gmane.org%3e

Most people have agreed that this is a security-related issue.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ASF.LICENSE.NOT.GRANTED--ValidateCancelable.txt
25/Jan/06 11:39
3 kB
Paul Benedict
ASF.LICENSE.NOT.GRANTED--ValidateCancelable.txt
25/Jan/06 11:46
3 kB
Paul Benedict
ASF.LICENSE.NOT.GRANTED--UnsupportedCancellationException.java
28/Jan/06 14:54
2 kB
Paul Benedict
ASF.LICENSE.NOT.GRANTED--rp13-patch.txt
15/Feb/06 10:17
3 kB
Paul Benedict
ASF.LICENSE.NOT.GRANTED--patch.txt
28/Jan/06 14:53
5 kB
Paul Benedict
ASF.LICENSE.NOT.GRANTED--InvalidCancelException.java
14/Feb/06 13:03
2 kB
Paul Benedict
ASF.LICENSE.NOT.GRANTED--cancellable.txt
14/Feb/06 13:01
5 kB
Paul Benedict

Activity

People

Assignee:: Unassigned

Reporter:: Paul Benedict

Votes:: 2 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 25/Jan/06 11:36

Updated:: 26/Apr/06 01:46

Resolved:: 26/Apr/06 01:46