[jira] Commented: (WW-2316) Ability to prevent method:METHOD

Find in this group all groups

Home Log In Sign Up FAQ

Unknown

more information…

i : issues@struts.apache.org

13 November 2007 • 10:27AM -0500

[jira] Commented: (WW-2316) Ability to prevent method:METHOD_NAME access
by Dave Newton (JIRA)

Google me that

REPLY TO AUTHOR

Google me that

REPLY TO GROUP

    [ https://issues.apache.org/struts/browse/WW-2316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42635 ]

Dave Newton commented on WW-2316:
---------------------------------

Was the general philosophy of WW that "a public action in an action is always available to an app user"?

If so, methods that don't want to be exposed can just be made private (protected?).

If you're using an action method from somewhere else in the app then perhaps it belongs somewhere else anyway.

Privilege checks would have to be done either in the method or through an interceptor, and they'd only be on public methods.

> Ability to prevent method:METHOD_NAME access
> --------------------------------------------
>
>                 Key: WW-2316
>                 URL: https://issues.apache.org/struts/browse/WW-2316
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Dispatch Filter
>    Affects Versions: 2.0.11, 2.1.0
>            Reporter: Dale Newfield
>             Fix For: 2.1.1
>
>
> In order to allow multiple form submission buttons result in different behavior based on the button pressed, a specially named parameter is included in the form submission that instructs the ActionMapper to call a method indicated in the URL.  This special parameter can be used to implement a credential escalation attack, though:  If a user has suffiicient credentials to call a single method on an action, this provides a mechanism whereby they could call any method on that action.  The "action!method.do" capability introduces a similar vulnerability, and the "allowDynamicMethodCalls" option closes that hole.  Besides needing to provide a different mechanism to allow different form submission buttons to do different things, is there a large downside to using this same option ("allowDynamicMethodCalls") to close this hole as well?
> (Just to be explicit, that solution would wrap "if (allowDynamicMethodCalls) {" and "}" around lines 186-188 in org.apache.struts2.dispatcher.mapper.DefaultActionMapper.java .)
> http://www.nabble.com/forum/ViewPost.jtp?post=13710147&framed=y
> http://www.nabble.com/forum/ViewPost.jtp?post=13711925&framed=y

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Bookmark with:

Delicious

Digg

Facebook

StumbleUpon

Related Messages

opensubscriber is not affiliated with the authors of this message nor responsible for its content.