Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3214

AliasInterceptor does not set setDenyMethodExecution()

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.6, 2.1.8
    • Fix Version/s: 2.1.8
    • Component/s: Core Interceptors
    • Labels:
      None

      Description

      There are actually a lot of issues with AliasInterceptor:

      1. It injects the aliased parameter without first setting ReflectionContextState.setDenyMethodExecution(contextMap, true). This is a security issue.
      2. It doesn't handle conversion errors
      3. It doesn't set setCreatingNullObjects(contextMap, true) like all other parameter injecting interceptors
      4. It uses a different instance of the parameter map than all of the other parameter related interceptors (stack.getContext().get("parameters") rather than ac.getParameters())
      5. It doesn't offer an option to not inject the other parameters later on (in other words if I alias A to B, the contents of A gets injected twice once as A, and once as B assuming I have ParameterInterceptor in the stack too and haven't explicitly filtered out A.) This is more of an enhancement request of course.

      My 2 cents is that the AliasInterceptor should just be deprecated, and the ability to alias a parameter should just be moved to ParameterInterceptor. It would be nice too because, if you made static parms also extend parms (WW-3213), then all three parameter injecting interceptors would support aliasing. That would be a nice consistency, and useful now that static-parms can be set by wildcards. Issue 5. could be more easily implemented from within the main parms interceptor as well.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                perfnorm Jasper Rosenberg
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: