Loading...

user@struts.apache.org

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It Łukasz Lenart Wed Feb 29 01:00:38 2012

2012/2/28 [EMAIL PROTECTED] <[EMAIL PROTECTED]>:
> Lukasz - I agree with you, but until a new version of Struts 2 is released
> that includes a fix for this vulnerability, I'd like to tell Struts 2
> developers what to do when implementing the SessionAware interface to
> mitigate the vulnerability.
>
> If you could look over what I wrote in the initial post and provide any
> feedback on that I'd certainly appreciate your comments.

Your proposal is fair enough, and maybe adding also a note about
changing excludeParams (as in WW-3631) to solve the problem
completely, as it's better to make a change in one place and not to
implement the same interface over and over (ParameterNameAware)


Regards
-- 
Łukasz
Mobile +48 606 323 122
Office +27 11 0838747
http://www.lenart.org.pl/
Warszawa JUG conference - Confitura http://confitura.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]