[
https://issues.apache.org/jira/browse/WW-3655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johno Crawford updated WW-3655:
-------------------------------
Description:
If the template location is either null or an empty string "" FreemarkerResult
will take the request uri
org.apache.struts2.views.freemarker.FreemarkerResult#doExecute and load it as a
template.
Example url, http://localhost:8080/com/acme/actions/Action.class/ would load
/com/acme/actions/Action.class/ as a template and dump the bytecode in the
response.
The check / culprit below seems a little exotic, however someone may be relying
on it eg. same actions handling stuff in different directories?
if (!locationArg.startsWith("/")) {
String base = ResourceUtil.getResourceBase(req);
locationArg = base + "/" + locationArg;
}
To mitigate the problem and maintain previous functionality we could throw an
exception if the template location is empty, I have created a pull request with
my proposed fix https://github.com/apache/struts2/pull/1
was:
If the template location is either null or an empty string "" FreemarkerResult
will take the request uri
org.apache.struts2.views.freemarker.FreemarkerResult#doExecute and load it as a
template.
example url, http://localhost:8080/com/acme/actions/Action.class/ would load
/com/acme/actions/Action.class/ as a template and dump the bytecode in the
response.
the check / culprit below seems a little exotic, however someone may be relying
on it eg. same actions handling stuff in different directories?
if (!locationArg.startsWith("/")) {
String base = ResourceUtil.getResourceBase(req);
locationArg = base + "/" + locationArg;
}
I have created a pull request with my proposed fix
https://github.com/apache/struts2/pull/1
> Freemarker result loads request uri as template
> -----------------------------------------------
>
> Key: WW-3655
> URL: https://issues.apache.org/jira/browse/WW-3655
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.2.3
> Reporter: Johno Crawford
>
> If the template location is either null or an empty string ""
> FreemarkerResult will take the request uri
> org.apache.struts2.views.freemarker.FreemarkerResult#doExecute and load it as
> a template.
> Example url, http://localhost:8080/com/acme/actions/Action.class/ would load
> /com/acme/actions/Action.class/ as a template and dump the bytecode in the
> response.
> The check / culprit below seems a little exotic, however someone may be
> relying on it eg. same actions handling stuff in different directories?
> if (!locationArg.startsWith("/")) {
> String base = ResourceUtil.getResourceBase(req);
> locationArg = base + "/" + locationArg;
> }
> To mitigate the problem and maintain previous functionality we could throw an
> exception if the template location is empty, I have created a pull request
> with my proposed fix https://github.com/apache/struts2/pull/1
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
