svn commit: r383718 - in /struts/extras/trunk/src/java/org/apache/struts/actions: ActionDispatcher.java DispatchAction.java LocalStrings.properties LookupDispatchAction.java

Mon, 06 Mar 2006 16:06:13 -0800 

Author: niallp
Date: Mon Mar  6 16:05:50 2006
New Revision: 383718

URL: http://svn.apache.org/viewcvs?rev=383718&view=rev
Log:
Fix for Bug 38749 - XSS vulnerability in LookupDispatchAction - reported by 
Tommy Wareing

Modified:
    struts/extras/trunk/src/java/org/apache/struts/actions/ActionDispatcher.java
    struts/extras/trunk/src/java/org/apache/struts/actions/DispatchAction.java
    
struts/extras/trunk/src/java/org/apache/struts/actions/LocalStrings.properties
    
struts/extras/trunk/src/java/org/apache/struts/actions/LookupDispatchAction.java

Modified: 
struts/extras/trunk/src/java/org/apache/struts/actions/ActionDispatcher.java
URL: 
http://svn.apache.org/viewcvs/struts/extras/trunk/src/java/org/apache/struts/actions/ActionDispatcher.java?rev=383718&r1=383717&r2=383718&view=diff
==============================================================================
--- 
struts/extras/trunk/src/java/org/apache/struts/actions/ActionDispatcher.java 
(original)
+++ 
struts/extras/trunk/src/java/org/apache/struts/actions/ActionDispatcher.java 
Mon Mar  6 16:05:50 2006
@@ -1,7 +1,7 @@
 /*
  * $Id$
  *
- * Copyright 2005 The Apache Software Foundation.
+ * Copyright 2005-2006 The Apache Software Foundation.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,8 +81,7 @@
 
  * </ul>
  *
- * @version $Rev$ $Date: 2005-05-14 21:27:02 -0400 (Sat, 14 May 2005)
- *          $
+ * @version $Rev$ $Date$
  * @since Struts 1.2.7
  */
 public class ActionDispatcher {
@@ -325,7 +324,10 @@
                 messages.getMessage("dispatch.method", mapping.getPath(), 
name);
 
             log.error(message, e);
-            throw e;
+
+            String userMsg =
+                messages.getMessage("dispatch.method.user", mapping.getPath());
+            throw new NoSuchMethodException(userMsg);
         }
 
         return dispatchMethod(mapping, form, request, response, name, method);

Modified: 
struts/extras/trunk/src/java/org/apache/struts/actions/DispatchAction.java
URL: 
http://svn.apache.org/viewcvs/struts/extras/trunk/src/java/org/apache/struts/actions/DispatchAction.java?rev=383718&r1=383717&r2=383718&view=diff
==============================================================================
--- struts/extras/trunk/src/java/org/apache/struts/actions/DispatchAction.java 
(original)
+++ struts/extras/trunk/src/java/org/apache/struts/actions/DispatchAction.java 
Mon Mar  6 16:05:50 2006
@@ -1,7 +1,7 @@
 /*
  * $Id$
  *
- * Copyright 2001-2004 The Apache Software Foundation.
+ * Copyright 2001-2006 The Apache Software Foundation.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -86,8 +86,7 @@
  * <code>getMethodName</code> method to override the action's default handler
  * selection.</p>
  *
- * @version $Rev$ $Date: 2005-05-14 21:27:02 -0400 (Sat, 14 May 2005)
- *          $
+ * @version $Rev$ $Date$
  */
 public abstract class DispatchAction extends BaseAction {
     /**
@@ -262,7 +261,10 @@
                 messages.getMessage("dispatch.method", mapping.getPath(), 
name);
 
             log.error(message, e);
-            throw e;
+
+            String userMsg =
+                messages.getMessage("dispatch.method.user", mapping.getPath());
+            throw new NoSuchMethodException(userMsg);
         }
 
         ActionForward forward = null;

Modified: 
struts/extras/trunk/src/java/org/apache/struts/actions/LocalStrings.properties
URL: 
http://svn.apache.org/viewcvs/struts/extras/trunk/src/java/org/apache/struts/actions/LocalStrings.properties?rev=383718&r1=383717&r2=383718&view=diff
==============================================================================
--- 
struts/extras/trunk/src/java/org/apache/struts/actions/LocalStrings.properties 
(original)
+++ 
struts/extras/trunk/src/java/org/apache/struts/actions/LocalStrings.properties 
Mon Mar  6 16:05:50 2006
@@ -4,9 +4,10 @@
 dispatch.lookup=Action[{0}] does not contain handler for resource '{1}'
 dispatch.mapping=ActionMapping[{0}] is not of type DispatchMapping
 dispatch.method=Action[{0}] does not contain method named '{1}'
+dispatch.method.user=Action[{0}] does not contain specified method (check logs)
 dispatch.parameter=Request[{0}] does not contain handler parameter named 
'{1}'.  This may be caused by whitespace in the label text.
 dispatch.return=Action[{0}] invalid return type for method '{1}'
-dispatch.resource=Action[{0}] missing resource '{1}' in key method map
+dispatch.resource=Action[{0}] missing resource in key method map
 forward.path=No context-relative URI specified via the 'parameter' attribute
 forward.rd=Cannot create request dispatcher for path '{0}'
 include.path=No context-relative URI specified via the 'parameter' attribute

Modified: 
struts/extras/trunk/src/java/org/apache/struts/actions/LookupDispatchAction.java
URL: 
http://svn.apache.org/viewcvs/struts/extras/trunk/src/java/org/apache/struts/actions/LookupDispatchAction.java?rev=383718&r1=383717&r2=383718&view=diff
==============================================================================
--- 
struts/extras/trunk/src/java/org/apache/struts/actions/LookupDispatchAction.java
 (original)
+++ 
struts/extras/trunk/src/java/org/apache/struts/actions/LookupDispatchAction.java
 Mon Mar  6 16:05:50 2006
@@ -1,7 +1,7 @@
 /*
  * $Id$
  *
- * Copyright 2001-2004 The Apache Software Foundation.
+ * Copyright 2001-2006 The Apache Software Foundation.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@
  */
 package org.apache.struts.actions;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.struts.Globals;
 import org.apache.struts.action.ActionForm;
 import org.apache.struts.action.ActionForward;
@@ -103,6 +105,12 @@
  * pressed), the custom handler <code>cancelled</code> will be used instead.
  */
 public abstract class LookupDispatchAction extends DispatchAction {
+
+    /**
+     * Commons Logging instance.
+     */
+    private static Log LOG = LogFactory.getLog(LookupDispatchAction.class);
+
     /**
      * Reverse lookup map from resource value to resource key.
      */
@@ -238,9 +246,8 @@
 
         if (key == null) {
             String message =
-                messages.getMessage("dispatch.resource", mapping.getPath(),
-                    keyName);
-
+                messages.getMessage("dispatch.resource", mapping.getPath());
+            LOG.error(message + " '" + keyName + "'");
             throw new ServletException(message);
         }
 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to