[
https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13799824#comment-13799824
]
Johno Crawford edited comment on WW-4066 at 10/19/13 12:02 PM:
---------------------------------------------------------------
Sure, our apps are built on the original behaviour that global rules from
struts.xml would be enforced.
This allows us to avoid exploits such as
http://struts.apache.org/release/2.3.x/docs/s2-009.html as the problem with the
new behaviour means that implementing ParameterNameAware for an action will
ignore rules defined in the acceptParamNames param tag.
To return the original behaviour we are having to subclass
ParametersInterceptor and copy massive chunks of code as there is no easy way
to override SecurityMemberAccess (see attachment).
Frankly speaking I would like to see a configuration option for the "new"
behaviour and default to the original behaviour for increased security.
was (Author: johno):
Sure, our apps are built on the original behaviour that global rules from
struts.xml would be enforced. This allows us to avoid exploits such as
http://struts.apache.org/release/2.3.x/docs/s2-009.html as implementing
ParameterNameAware for an action will ignore rules defined in the
acceptParamNames param tag. Now to get back the original behaviour we are
having to subclass ParametersInterceptor and copy massive chunks of code as
there is no easy way to override SecurityMemberAccess. Frankly speaking I would
like to see a configuration option for the "new" behaviour and default to the
original behaviour.
> Submitting form with parameters using brackets while devMode=true yields
> StringIndexOutOfBoundsException
> --------------------------------------------------------------------------------------------------------
>
> Key: WW-4066
> URL: https://issues.apache.org/jira/browse/WW-4066
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.14
> Reporter: Chris Cranford
> Assignee: Lukasz Lenart
> Fix For: 2.3.16
>
> Attachments: ParametersInterceptor.java, testcase.zip
>
>
> Our BaseAction which extends ActionSupport overrides the addActionMessage()
> with the following:
> {code:java}
> @Override
> public void addActionMessage(String message) {
> super.addActionMessage(getText(message));
> }
> {code}
> With the above method in place during devMode=true, the following error stack
> trace occurs:
> {noformat}
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1871)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:426)
> at
> com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:362)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
> at
> com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
> at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
> at com.setech.dw.common.web.BaseAction.addActionMessage(BaseAction.java:209)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:337)
> at
> com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:241)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
