[
https://issues.apache.org/jira/browse/WW-3529?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-3529:
------------------------------
Summary: NamedVariablePatternMatcher does not properly escape characters
(was: In xwork-core, NamedVariablePatternMatcher does not properly escape
characters)
> NamedVariablePatternMatcher does not properly escape characters
> ---------------------------------------------------------------
>
> Key: WW-3529
> URL: https://issues.apache.org/jira/browse/WW-3529
> Project: Struts 2
> Issue Type: Bug
> Components: Other
> Affects Versions: 2.2.1
> Reporter: Richard Vermillion
> Priority: Major
> Fix For: 6.1.0
>
> Attachments: NamedVariablePatternMatcher.patch
>
>
> The com.opensymphony.xwork2.util.NamedVariablePatternMatcher class has a bug
> in the compilePattern(String) method. The purpose of the method is to
> compile patterns such as "action/{foo}" to a regular expression Pattern and
> extract the variable names that match each group in the regex. In the
> example given and the 2.2.1 code base, the pattern will be compiled as
> "action/([^/]+)". However, if the pattern includes characters that have
> special meaning to Java's regular expression engine, they are currently not
> being escaped.
> For example, the pattern "action.{format}" is being compiled to
> "action.([^/]+)" which correctly matches "action.html" but also
> "actionK.html" or any other character because the '.' is not escaped. The
> bug really bites when a pattern like "{name}.{format}" is used. This will be
> compiled to "([^/]+).([^/]+)" which will match "cars.html" but not the way
> you expect. Because of greediness, it will set name = "cars.ht" and format =
> "l".
> I will submit a patch to fix this behavior on the next screen.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
