struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Lindal (JIRA)" <j...@apache.org>
Subject [jira] Commented: (WW-3538) Remove Dynamic Method Invocation
Date Thu, 02 Dec 2010 18:24:11 GMT

    [ https://issues.apache.org/jira/browse/WW-3538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12966219#action_12966219
] 

John Lindal commented on WW-3538:
---------------------------------

DMI can be quite useful.  That's why it was added :)

The right solution is to provide access control.  In my hacked version of 2.2.1, I use a whitelist
configuration, so only functions explicitly added to the whitelist can be invoked.  (execute
is the exception, since it is the default.)

Let me know if you want me to contribute patches for this.  It requires a change to the DTD
so the whitelist can be configured for each action.

> Remove Dynamic Method Invocation
> --------------------------------
>
>                 Key: WW-3538
>                 URL: https://issues.apache.org/jira/browse/WW-3538
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Actions
>    Affects Versions: 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10,
2.0.11, 2.0.11.1, 2.0.11.2, 2.0.12, 2.0.13, 2.0.14, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5,
2.1.6, 2.1.8, 2.1.8.1, 2.2.1, 2.2.1.1
>            Reporter: Lukasz Lenart
>            Assignee: Lukasz Lenart
>             Fix For: 2.3
>
>
> In all current Struts 2 version you can use Dynamic Method Invocation to call particular
public Action's method use syntax:
> /actionname!methodname
> It can be disabled by defining constant struts.enable.DynamicMethodInvocation = false

> The idea is to totally remove such functionality from the project.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message