[
https://issues.apache.org/jira/browse/WW-5056?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-5056:
------------------------------
Description:
Currently the regex used to match allowed parameters is
{code}
public static final String[] ACCEPTED_PATTERNS = {
"\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"
};
{code}
For parameters that are mapped to a map, this restricts the keys to letters,
numbers and underscore.
It would be nice to allow all characters that are allowed in POST data and
URLs, for example a parameter like map['key-subkey'] is currently not allowed,
but it should cause no harm.
was:
Currently the regex used to match allowed parameters is
public static final String[] ACCEPTED_PATTERNS = {
"\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"
};
For parameters that are mapped to a map, this restricts the keys to letters,
numbers and underscore.
It would be nice to allow all characters that are allowed in POST data and
URLs, for example a parameter like map['key-subkey'] is currently not allowed,
but it should cause no harm.
> Standard Accepted Patterns in DefaultAcceptedPatternsChecker
> ------------------------------------------------------------
>
> Key: WW-5056
> URL: https://issues.apache.org/jira/browse/WW-5056
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Reporter: Andrea Vettori
> Priority: Minor
> Fix For: 2.6
>
>
> Currently the regex used to match allowed parameters is
> {code}
> public static final String[] ACCEPTED_PATTERNS = {
>
> "\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"
> };
> {code}
> For parameters that are mapped to a map, this restricts the keys to letters,
> numbers and underscore.
> It would be nice to allow all characters that are allowed in POST data and
> URLs, for example a parameter like map['key-subkey'] is currently not
> allowed, but it should cause no harm.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
