[jira] [Commented] (WW-5115) Reduce logging for DMI excluded parameters

Wed, 28 Apr 2021 07:45:07 -0700 


    [ 
https://issues.apache.org/jira/browse/WW-5115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17334769#comment-17334769
 ] 

Yasser Zamani commented on WW-5115:
-----------------------------------

{quote}action:myEdit!save will never match the pattern, so it logs it 
regardless.{quote}
So totally confused I am. You say that we log when it doesn't match exclude 
pattern. Could you please point out where? When something doesn't match exclude 
pattern then we should be happy and don't log anything!!

{quote}When DMI is on it does not add the pattern, so it starts logging 
it{quote}
Yes it must not add the pattern because when DMI is on we don't want exclude 
e.g. {{action:myEdit!save}}. So it won't match exclude pattern and we won't log 
anything as I described above. I don't understand you say "..., so it starts 
logging it". Could you please illustrate where we log a NOT MATCHED exclude 
pattern?

> Reduce logging for DMI excluded parameters 
> -------------------------------------------
>
>                 Key: WW-5115
>                 URL: https://issues.apache.org/jira/browse/WW-5115
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.5.25
>            Reporter: Greg Huber
>            Priority: Minor
>             Fix For: 2.5.27, 2.6
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> There are unnecessary log warning when DMI is enabled, from the 
> ParametersInterceptor.  
> WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor 
> ParametersInterceptor:isAccepted - Parameter [action:myAction!save] didn't 
> match accepted pattern 
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
>  See Accepted / Excluded patterns at 
> https://struts.apache.org/security/#accepted--excluded-patterns
> eg the property 'action:myAction!save' should not be considered as a 
> bean/property parameter, as its used as part of DMI to submit the form.
> Any property which matches the DMI method invocation "^(action|method):.*" 
> needs to be silently ignored and not logged in devMode=true.
> DMI_AWARE_ACCEPTED_PATTERNS can also be dropped from 
> DefaultAcceptedPatternsChecker as the DMI action|method would never be a form 
> property.
> public static final String[] DMI_AWARE_ACCEPTED_PATTERNS = {
>             
> "\\w+([:]?\\w+)?((\\.\\w+)|(\\[\\d+])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*([!]?\\w+)?"
> };



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to