Results 1 to 1 of 1
  1. #1
    BSRaghuram is offline Member
    Join Date
    Apr 2014
    Rep Power

    Default How to implement Exclude Params in Struts 1.3.8

    Hi All,


    The Apache Struts, there is operable vulnerability from outside the Java class loader in Struts 1 and Struts 2
    Reference Link : S2-020

    Apache Struts gave solution either to upgrade Struts version to or
    add '^class\.*' to the list of excludeParams as shown below.

    <interceptor-ref name="params">
    <param name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\.. *,^application\..*,^servlet(Request|Response)\..*, ^parameters\..*,^action:.*,^method:.*</param>

    My Problem

    1. I cannot upgrade my struts version form 1.3.8 to newer one as per my client request

    2. The above exclude params is used in Struts 2, but i need to use it in struts 1.3.8 to exculde '^class\.*'.

    Please suggest. Thank you in advance for your answers.

    Last edited by BSRaghuram; 05-01-2014 at 08:16 AM.

Similar Threads

  1. swt: GridData.exclude in Draw2d?
    By sanchau_in in forum SWT / JFace
    Replies: 0
    Last Post: 05-31-2012, 12:14 PM
  2. why are GObject method params double
    By wileedingo in forum New To Java
    Replies: 3
    Last Post: 05-06-2012, 08:27 PM
  3. struts2 not getting params info when validation fail
    By videanuadrian in forum Advanced Java
    Replies: 0
    Last Post: 09-16-2011, 12:45 PM
  4. Exclude character
    By ZeCute in forum New To Java
    Replies: 2
    Last Post: 05-23-2011, 08:19 PM
  5. Passing params by ref
    By kosko in forum Threads and Synchronization
    Replies: 2
    Last Post: 09-20-2010, 01:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts