[ https://issues.apache.org/jira/browse/WW-3529?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart updated WW-3529: ------------------------------ Summary: NamedVariablePatternMatcher does not properly escape characters (was: In xwork-core, NamedVariablePatternMatcher does not properly escape characters) > NamedVariablePatternMatcher does not properly escape characters > --------------------------------------------------------------- > > Key: WW-3529 > URL: https://issues.apache.org/jira/browse/WW-3529 > Project: Struts 2 > Issue Type: Bug > Components: Other > Affects Versions: 2.2.1 > Reporter: Richard Vermillion > Priority: Major > Fix For: 6.1.0 > > Attachments: NamedVariablePatternMatcher.patch > > > The com.opensymphony.xwork2.util.NamedVariablePatternMatcher class has a bug > in the compilePattern(String) method. The purpose of the method is to > compile patterns such as "action/{foo}" to a regular expression Pattern and > extract the variable names that match each group in the regex. In the > example given and the 2.2.1 code base, the pattern will be compiled as > "action/([^/]+)". However, if the pattern includes characters that have > special meaning to Java's regular expression engine, they are currently not > being escaped. > For example, the pattern "action.{format}" is being compiled to > "action.([^/]+)" which correctly matches "action.html" but also > "actionK.html" or any other character because the '.' is not escaped. The > bug really bites when a pattern like "{name}.{format}" is used. This will be > compiled to "([^/]+).([^/]+)" which will match "cars.html" but not the way > you expect. Because of greediness, it will set name = "cars.ht" and format = > "l". > I will submit a patch to fix this behavior on the next screen. -- This message was sent by Atlassian Jira (v8.20.10#820010)