Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3213

StaticParametersInterceptor does not set setDenyMethodExecution()

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.6, 2.1.8
    • Fix Version/s: 2.1.8
    • Component/s: Core Interceptors
    • Labels:
      None

      Description

      Static parameters can be set from wildcards in the action name, so I believe they are also vulnerable to ognl method invocation security issues.

      Perhaps StaticParametersInterceptor could be refactored to extend ParametersInterceptor just as ActionMappingParametersInteceptor does?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                perfnorm Jasper Rosenberg
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: