Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3214

AliasInterceptor does not set setDenyMethodExecution()



    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.6, 2.1.8
    • Fix Version/s: 2.1.8
    • Component/s: Core Interceptors
    • Labels:


      There are actually a lot of issues with AliasInterceptor:

      1. It injects the aliased parameter without first setting ReflectionContextState.setDenyMethodExecution(contextMap, true). This is a security issue.
      2. It doesn't handle conversion errors
      3. It doesn't set setCreatingNullObjects(contextMap, true) like all other parameter injecting interceptors
      4. It uses a different instance of the parameter map than all of the other parameter related interceptors (stack.getContext().get("parameters") rather than ac.getParameters())
      5. It doesn't offer an option to not inject the other parameters later on (in other words if I alias A to B, the contents of A gets injected twice once as A, and once as B assuming I have ParameterInterceptor in the stack too and haven't explicitly filtered out A.) This is more of an enhancement request of course.

      My 2 cents is that the AliasInterceptor should just be deprecated, and the ability to alias a parameter should just be moved to ParameterInterceptor. It would be nice too because, if you made static parms also extend parms (WW-3213), then all three parameter injecting interceptors would support aliasing. That would be a nice consistency, and useful now that static-parms can be set by wildcards. Issue 5. could be more easily implemented from within the main parms interceptor as well.


          Issue Links



              • Assignee:
                perfnorm Jasper Rosenberg
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: