Struts 2
  1. Struts 2
  2. WW-4257

ParametersInterceptor uses same method on ParameterNameAware interface to validate parameters and properties

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.16
    • Fix Version/s: 2.3.20
    • Component/s: None
    • Labels:
      None

      Description

      With version 2.3.16, the ParametersInterceptor uses the same method to validate parameter names and property names.
      As we use the ParameterNameAware interface to implement parameter whitelisting on action level, this breaks our case.

      It might not be how it is intended, but validating a property independent of the actual bean breaks our current implementation.

      Possible fixes would be:

      • alter ParameterNameAware to have an additional separate method to validate properties
      • introduce a new PropertyNameAware interface
      • introduce a new ParameterAndPropertyNameAware interface

      One could also consider to ignore the ParameterNameAware interface when validating properties, as for a parameter foo.bar, the values foo.bar, foo, and bar are passed to the ParameterNameAware interface, which one could see as a bit redundant. Especially given the fact that a context in the case of property validation is not provided. Therefore, it is impossible for the implementation to distinguish between a parameter and a property.

      1. ww-4257.patch
        5 kB
        Christoph Lenggenhager

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Lukasz Lenart
            Reporter:
            Christoph Lenggenhager
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development