actions: ActionDispatcher.java DispatchAction.java LocalStrings.properties LookupDispatchAction.java

niallp Mon, 06 Mar 2006 16:08:24 -0800

Author: niallp
Date: Mon Mar  6 16:07:59 2006
New Revision: 383720

URL: http://svn.apache.org/viewcvs?rev=383720&view=rev
Log:
Port Fix for Bug 38749 to 1.2.x branch - XSS vulnerability in 
LookupDispatchAction - reported by Tommy Wareing


Modified:
    
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/ActionDispatcher.java
    
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/DispatchAction.java
    
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LocalStrings.properties
    
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LookupDispatchAction.java

Modified: 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/ActionDispatcher.java
URL: 
http://svn.apache.org/viewcvs/struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/ActionDispatcher.java?rev=383720&r1=383719&r2=383720&view=diff
==============================================================================
--- 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/ActionDispatcher.java
 (original)
+++ 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/ActionDispatcher.java
 Mon Mar  6 16:07:59 2006
@@ -1,7 +1,7 @@
 /*
  * $Id$
  *
- * Copyright 2005 The Apache Software Foundation.
+ * Copyright 2005-2006 The Apache Software Foundation.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -309,7 +309,10 @@
             String message =
                     messages.getMessage("dispatch.method", mapping.getPath(), 
name);
             log.error(message, e);
-            throw e;
+
+            String userMsg =
+                messages.getMessage("dispatch.method.user", mapping.getPath());
+            throw new NoSuchMethodException(userMsg);
         }
 
         return dispatchMethod(mapping, form, request, response, name, method);

Modified: 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/DispatchAction.java
URL: 
http://svn.apache.org/viewcvs/struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/DispatchAction.java?rev=383720&r1=383719&r2=383720&view=diff
==============================================================================
--- 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/DispatchAction.java
 (original)
+++ 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/DispatchAction.java
 Mon Mar  6 16:07:59 2006
@@ -1,7 +1,7 @@
 /*
  * $Id$ 
  *
- * Copyright 2001-2004 The Apache Software Foundation.
+ * Copyright 2001-2006 The Apache Software Foundation.
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -265,7 +265,10 @@
             String message =
                     messages.getMessage("dispatch.method", mapping.getPath(), 
name);
             log.error(message, e);
-            throw e;
+
+            String userMsg =
+                messages.getMessage("dispatch.method.user", mapping.getPath());
+            throw new NoSuchMethodException(userMsg);
         }
 
         ActionForward forward = null;

Modified: 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LocalStrings.properties
URL: 
http://svn.apache.org/viewcvs/struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LocalStrings.properties?rev=383720&r1=383719&r2=383720&view=diff
==============================================================================
--- 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LocalStrings.properties
 (original)
+++ 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LocalStrings.properties
 Mon Mar  6 16:07:59 2006
@@ -4,9 +4,10 @@
 dispatch.lookup=Action[{0}] does not contain handler for resource '{1}'
 dispatch.mapping=ActionMapping[{0}] is not of type DispatchMapping
 dispatch.method=Action[{0}] does not contain method named '{1}'
+dispatch.method.user=Action[{0}] does not contain specified method (check logs)
 dispatch.parameter=Request[{0}] does not contain handler parameter named 
'{1}'.  This may be caused by whitespace in the label text.
 dispatch.return=Action[{0}] invalid return type for method '{1}'
-dispatch.resource=Action[{0}] missing resource '{1}' in key method map
+dispatch.resource=Action[{0}] missing resource in key method map
 forward.path=No context-relative URI specified via the 'parameter' attribute
 forward.rd=Cannot create request dispatcher for path '{0}'
 include.path=No context-relative URI specified via the 'parameter' attribute

Modified: 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LookupDispatchAction.java
URL: 
http://svn.apache.org/viewcvs/struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LookupDispatchAction.java?rev=383720&r1=383719&r2=383720&view=diff
==============================================================================
--- 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LookupDispatchAction.java
 (original)
+++ 
struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions/LookupDispatchAction.java
 Mon Mar  6 16:07:59 2006
@@ -1,7 +1,7 @@
 /*
  * $Id$ 
  *
- * Copyright 2001-2004 The Apache Software Foundation.
+ * Copyright 2001-2006 The Apache Software Foundation.
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,6 +27,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.struts.Globals;
 import org.apache.struts.action.ActionForm;
 import org.apache.struts.action.ActionForward;
@@ -109,6 +111,11 @@
 public abstract class LookupDispatchAction extends DispatchAction {
 
     /**
+     * Commons Logging instance.
+     */
+    private static Log LOG = LogFactory.getLog(LookupDispatchAction.class);
+
+    /**
      * Reverse lookup map from resource value to resource key.
      */
     protected Map localeMap = new HashMap();
@@ -235,8 +242,9 @@
         // Find the key for the resource
         String key = (String) lookupMap.get(keyName);
         if (key == null) {
-            String message = messages.getMessage(
-                    "dispatch.resource", mapping.getPath(), keyName);
+            String message =
+                messages.getMessage("dispatch.resource", mapping.getPath());
+            LOG.error(message + " '" + keyName + "'");
             throw new ServletException(message);
         }
 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r383720 - in /struts/action/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/actions: ActionDispatcher.java DispatchAction.java LocalStrings.properties LookupDispatchAction.java

Reply via email to