[jira] [Commented] (WW-4066) Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException

Sat, 19 Oct 2013 00:49:38 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13799824#comment-13799824
 ] 

Johno Crawford commented on WW-4066:
------------------------------------

Sure, our apps are built on the original behaviour that global rules from 
struts.xml would be enforced. This allows us to avoid exploits such as 
http://struts.apache.org/release/2.3.x/docs/s2-009.html as implementing 
ParameterNameAware for an action will ignore rules defined in the 
acceptParamNames param tag. Now to get back the original behaviour we are 
having to subclass ParametersInterceptor and copy massive chunks of code as 
there is no easy way to override SecurityMemberAccess.

> Submitting form with parameters using brackets while devMode=true yields 
> StringIndexOutOfBoundsException
> --------------------------------------------------------------------------------------------------------
>
>                 Key: WW-4066
>                 URL: https://issues.apache.org/jira/browse/WW-4066
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.14
>            Reporter: Chris Cranford
>            Assignee: Lukasz Lenart
>             Fix For: 2.3.16
>
>         Attachments: testcase.zip
>
>
> Our BaseAction which extends ActionSupport overrides the addActionMessage() 
> with the following:
> {code:java}
> @Override
> public void addActionMessage(String message) {
>   super.addActionMessage(getText(message));
> }
> {code}
> With the above method in place during devMode=true, the following error stack 
> trace occurs:
> {noformat}
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
>   at java.lang.String.substring(String.java:1871)
>   at 
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:426)
>   at 
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:362)
>   at 
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
>   at 
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
>   at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
>   at com.setech.dw.common.web.BaseAction.addActionMessage(BaseAction.java:209)
>   at 
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:337)
>   at 
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:241)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to