[jira] [Commented] (WW-4486) Default parameter exclusions blocking legitimate values

[Jasper Rosenberg (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WW-4486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14485174#comment-14485174
 ] 

Jasper Rosenberg commented on WW-4486:
--------------------------------------

Wow, that is problematic to say the least.  Is there a discussion somewhere I 
can look at which talks about the specific spots where double evaluation can 
happen?  I'm guessing the ConversionErrorInterceptor is one of them.  I can't 
seem to reproduce setting a value and having ognl evaluate it on the way in 
though.  By any chance do you have a sample expression that i should be able to 
pass in as a value to a struts textfield tag and see ognl try to evaluate it?

Thanks!

> Default parameter exclusions blocking legitimate values
> -------------------------------------------------------
>
>                 Key: WW-4486
>                 URL: https://issues.apache.org/jira/browse/WW-4486
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.3.20
>            Reporter: Jasper Rosenberg
>            Priority: Critical
>             Fix For: 2.5
>
>
> In ParametersInterceptor.setParameters(), when building 
> acceptableParameters(), it applies the check isAcceptableValue not just just 
> to the parameter name, but also to the parameter value.  This is a huge 
> problem because the default excludedPatterns include phrases that will come 
> up in normal user form submissions.  
> For example, the way I discovered this is that one pattern is 
> "(.*\.|^|.*|\[('|"))\bclass(\.|('|")]|\[).*"
> We are a car site, so when a user tried to post a message about a Mercedes M 
> class: "That's M class. You asked for G class, different beast!"
> The "class." at the end of the first sentence was rejected and so their post 
> failed.
> What is the reason for applying the exclusion patterns wholesale to the 
> parameter value?  Is it even necessary at all, or is there some kind of 
> escape character that normally tells ognl to evaluate an expression in the 
> value, in which case we could check for exclusion pattern matches just within 
> those?
> As it is though, the current solution is going to cause some occasional very 
> peculiar behavior for developers.  Not sure if this should actually be a 
> blocker bug since the only reasonable workaround seems to be to hack the 
> ParametersInterceptor locally (since one shouldn't remove the exclusion 
> patterns in general).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)