[jira] [Work logged] (WW-5267) Add configuration option to generate ActionContext even for excluded urls

Mon, 06 Mar 2023 22:31:41 -0800 


     [ 
https://issues.apache.org/jira/browse/WW-5267?focusedWorklogId=849469&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-849469
 ]

ASF GitHub Bot logged work on WW-5267:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 07/Mar/23 06:30
            Start Date: 07/Mar/23 06:30
    Worklog Time Spent: 10m 
      Work Description: lukaszlenart commented on PR #663:
URL: https://github.com/apache/struts/pull/663#issuecomment-1457617483

   > > right now it would be possible to access `ActionContext` out of action, 
directly from JSP?
   > 
   > Not clear on what you mean, how so?
   
   If the flag is "on" and the request matches excluded urls, the 
`ActionContext` will be available in non-Struts managed endpoints. By design 
all the requests should be handled by the actions first and then forwarded into 
view layer (like JSP or Freemarker) - this also involves the whole security 
mechanism embedded into _normal_ flow (interceptors).
   
   With this change it is possible to overuse this functionality by having an 
excluded url and still accessing `ActionContext` out of action scope directly 
from JSP or Freemarker. User is "escaping" from Struts sandbox, yet having 
option to operate on `ActionContext` like 
`ActionContext.getContext().getContainer()`.
   
   This raises security concerns tbh.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 849469)
    Time Spent: 1h 50m  (was: 1h 40m)

> Add configuration option to generate ActionContext even for excluded urls
> -------------------------------------------------------------------------
>
>                 Key: WW-5267
>                 URL: https://issues.apache.org/jira/browse/WW-5267
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.2.0
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> There are scenarios where you may want to except a request from Struts 
> filtering/processing using `struts.action.excludePattern`, however you may 
> still want that request to undergo filtering such as SiteMesh, which requires 
> the ActionContext to be present.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to