How to prevent the wildcard namespace in struts?

Question

I am facing a problem that I couldn't find a key word for googleing the following situation:

<package name="Main" namespace="/" extends="struts-default">
    <action name="administrator" class="com.xyz.AdminAction">
        <result name="success">/WEB-INF/jsp/admin.jsp</result>
    </action>
</package>

The above url should be http://xyz.com/administrator and it works fine. However, if I change the url to http://xyz.com/asdasd/asdasdasd/administrator and it still works, but I can't accept this! So any setting to tell struts only http://xyz.com/administrator is accepted? Thanks!

Beware. If you've configured your Struts application in this particular way (setting 'alwaysSelectFullNamespace' to 'true'), your application is very likely vulnerable to CVE-2018-11776: https://semmle.com/news/apache-struts-CVE-2018-11776 — Bas van Schaik, Aug 22 '18 at 21:01

Dave Newton · Accepted Answer · 2013-07-17T10:40:36.023

7

Set the alwaysSelectFullNamespace property to true.

From struts-default.properties:

### Whether to always select the namespace to be everything before the last slash or not
struts.mapper.alwaysSelectFullNamespace=true

XML configuration is preferred, so in your struts.xml:

<struts>
  <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />
  ...

edited Jul 17 '13 at 10:40

answered Jul 17 '13 at 10:35

Dave Newton

158,873
26
254
302

How to prevent the wildcard namespace in struts?

1 Answers1

Linked

Related