Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3213

StaticParametersInterceptor does not set setDenyMethodExecution()

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.1.6, 2.1.8
    • 2.1.8
    • Core Interceptors
    • None

    Description

      Static parameters can be set from wildcards in the action name, so I believe they are also vulnerable to ognl method invocation security issues.

      Perhaps StaticParametersInterceptor could be refactored to extend ParametersInterceptor just as ActionMappingParametersInteceptor does?

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. WW-3214 AliasInterceptor does not set setDenyMethodExecution()

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              perfnorm Jasper Rosenberg
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: