struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukasz.len...@googlemail.com>
Subject Re: Struts 2.2.1 Problem
Date Thu, 23 Sep 2010 08:43:14 GMT
Maybe it's related to that
http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

I've added some more restrictive rules regarding request's parameters
names. Lot of special characters are disallowed, take a look on line
138
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java?view=markup

You can always declare yours own by declaring acceptParamNames for
that interceptor.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
Kapituła Javarsovia 2010 http://javarsovia.pl

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message