[ https://issues.apache.org/jira/browse/WW-5276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17680973#comment-17680973 ]
ASF subversion and git services commented on WW-5276: ----------------------------------------------------- Commit 05d7196e6cf451426eb301effc0416b2554b20f3 in struts's branch refs/heads/master from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=05d7196e6 ] WW-5276 Cleans up also wrapper request to avoid resource leak and potential DoS attack > Cleanup method of request is not called > --------------------------------------- > > Key: WW-5276 > URL: https://issues.apache.org/jira/browse/WW-5276 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 6.1.1 > Reporter: Mirek Hankus > Priority: Major > Fix For: 6.2.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > After upgrading to 6.1.1 we have noticed that cleanup method of custom > MultiPartRequest is not called by struts. > > > It may be related to > [https://github.com/apache/struts/commit/69102e907551a87335231656320c8484072bdecb] > > as before variable "request" was overwritten with wrapped request and cleanup > was called in finally section > > After this commit new variable is created called "wrappedRequest", but > cleanup is called only on original request, and new wrappedRequest is not > cleaned up at all. > > Below is respective code fragment > {code:java} > HttpServletRequest wrappedRequest = prepare.wrapRequest(request); > ActionMapping mapping = > prepare.findActionMapping(wrappedRequest, response, true); > if (mapping == null) { > LOG.trace("Cannot find mapping for {}, passing to > other filters", uri); > chain.doFilter(request, response); > } else { > LOG.trace("Found mapping {} for {}", mapping, uri); > execute.executeAction(wrappedRequest, response, > mapping); > } > } > } > } finally { > prepare.cleanupRequest(request); > }{code} > > This bug causes a lot of resource problems, and can result in denial of > service condition for application (or making application not compliant - as > sensitive information is not properly discarded). > > > > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)