Description
Extending packages is a very useful capability of Struts but there are some quirks, that if a developer is not aware of, can lead to critical vulnerabilities.
One such misunderstood quirk is the default-interceptor-ref element.
Take the following package:
<package name="package1"> <default-interceptor-ref name="adminOnly"/> <action name="action1" class="Action1"> <result name="success" /> </action> </package>
If it is extended by another package like so:
<package name="package2" extends="package1"> <default-interceptor-ref name="authenticatedOnly"/> <action name="action2" class="Action2"> <result name="success" /> </action> </package>
The second package will inherit Action1, however it will behave very differently in Package2, because it is no longer subject to the same interceptors. The default-interceptor-ref value from the first package does not apply to any action in the extending package, not even the ones defined in the inherited one.
This is not immediately obvious to many developers, especially those not very familiar with Struts. They could simply have extended the package to obtain access to other elements such as results or result-types.
One potential mitigation against this developer error is to mark potentially sensitive packages as 'final' to prevent certain Actions from being inherited by other packages.
This would look like the following:
<package name="package1" final="true"> <default-interceptor-ref name="adminOnly"/> <action name="action1" class="Action1"> <result name="success" /> </action> </package>
Attachments
Issue Links
- links to