Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
2.3.7
-
None
-
None
Description
The fix for WW-3866 (Revision 1379386) changes the logic for acceptable parameter names from
com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.
boolean acceptableName = acceptableName(name) && (parameterNameAware == null || parameterNameAware.acceptableParameterName(name));
to
com.opensymphony.xwork2.interceptor.ParametersInterceptor, line 282ff.
boolean acceptableName = acceptableName(name) || (parameterNameAware != null && parameterNameAware.acceptableParameterName(name));
This might impose a security risk if implementations relied on their actions for parameter name validation (e.g. by explicitly whitelisting parameters).