When one looks at the solution provided by the vendor, it clearly mentions to always use resource keys instead of passing a raw message to the ActionMessage, as shown below:
messages.add(“msg”, new ActionMessage(“struts1.gangsterAdded”, gform.getName()));
A raw value should never be passed, as in the example below:
REF: http://blog.trendmicro.com/trendlabs-security-intelligence/examining-cve-2017-9791-new-apache-struts-remote-code-execution-vulnerability/messages.add(“msg”, new ActionMessage(“Gangster ” + gform.getName() + ” was added”));
沒有留言:
張貼留言