[
https://issues.apache.org/jira/browse/WW-5115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314430#comment-17314430
]
Greg Huber edited comment on WW-5115 at 4/4/21, 8:34 AM:
---------------------------------------------------------
I tried the mod I still get
2021-04-04 08:23:03,016 WARN
com.opensymphony.xwork2.interceptor.ParametersInterceptor
ParametersInterceptor:isAccepted - Parameter [action:myEdit!save] didn't match
accepted pattern
[[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
See Accepted / Excluded patterns at
https://struts.apache.org/security/#accepted--excluded-patterns
seems name = action:myEdit!save is not being ignored here?
{code:java}
if (isIgnoredDMI(name)) {
LOG.trace("DMI is enabled, ignoring DMI method: {}", name);
return false;
}
boolean accepted = isWithinLengthLimit(name) && !isExcluded(name) &&
isAccepted(name);
....
{code}
Possibly switch these to this??
{code:java}
private boolean isIgnoredDMI(String name) {
if (dmiEnabled) {
return DMI_IGNORED_PATTERN.matcher(name).matches();
} else {
return false;
}
}
{code}
Also strictly not following the intercept pattern, the check is made now in the
class rather ExcludedPatternsChecker etc. That said, probably not wanting to
share this check with any other interceptor.
was (Author: gregh99):
I tried the mod I still get
2021-04-04 08:23:03,016 WARN
com.opensymphony.xwork2.interceptor.ParametersInterceptor
ParametersInterceptor:isAccepted - Parameter [action:myEdit!save] didn't match
accepted pattern
[[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
See Accepted / Excluded patterns at
https://struts.apache.org/security/#accepted--excluded-patterns
seems name = action:myEdit!save is not being ignored here?
{code:java}
if (isIgnoredDMI(name)) {
LOG.trace("DMI is enabled, ignoring DMI method: {}", name);
return false;
}
boolean accepted = isWithinLengthLimit(name) && !isExcluded(name) &&
isAccepted(name);
....
{code}
Possibly switch these to this??
{code:java}
private boolean isIgnoredDMI(String name) {
if (dmiEnabled) {
return DMI_IGNORED_PATTERN.matcher(name).matches();
} else {
return false;
}
}
{code}
> Reduce logging for DMI excluded parameters
> -------------------------------------------
>
> Key: WW-5115
> URL: https://issues.apache.org/jira/browse/WW-5115
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.5.25
> Reporter: Greg Huber
> Assignee: Greg Huber
> Priority: Minor
> Fix For: 2.5.27, 2.6
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> There are unnecessary log warning when DMI is enabled, from the
> ParametersInterceptor.
> WARN com.opensymphony.xwork2.interceptor.ParametersInterceptor
> ParametersInterceptor:isAccepted - Parameter [action:myAction!save] didn't
> match accepted pattern
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
> See Accepted / Excluded patterns at
> https://struts.apache.org/security/#accepted--excluded-patterns
> eg the property 'action:myAction!save' should not be considered as a
> bean/property parameter, as its used as part of DMI to submit the form.
> Any property which matches the DMI method invocation "^(action|method):.*"
> needs to be silently ignored and not logged in devMode=true.
> DMI_AWARE_ACCEPTED_PATTERNS can also be dropped from
> DefaultAcceptedPatternsChecker as the DMI action|method would never be a form
> property.
> public static final String[] DMI_AWARE_ACCEPTED_PATTERNS = {
>
> "\\w+([:]?\\w+)?((\\.\\w+)|(\\[\\d+])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*([!]?\\w+)?"
> };
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
