struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Musachy Barroso" <musa...@gmail.com>
Subject Re: [S2] Heads Up: possible DOS problem
Date Thu, 05 Jul 2007 18:02:39 GMT
Escaping them won't work unless TextParseUtils is changed, for example
assume this is submitted: name=%{name}

we scape %{name} to '%{name}', when TextParseUtils "sees" the %{...} will
try to expand it (we would have to check for single quotes around %{}).

In the meanwhile I submitted a patch to the issue for those that need a
quick fix (until a real fix is made), parameters that match the regex
.*?%\{.*?\} won't be accepted. This regex is configured as a parameter to
the params Interceptor.

musachy

On 7/5/07, Musachy Barroso <musachy@gmail.com> wrote:
>
> I that case we would have to scape back the strings at some point.
>
> muachy
>
> On 7/5/07, Antonio Petrelli < antonio.petrelli@gmail.com> wrote:
> >
> > 2007/7/5, Musachy Barroso < musachy@gmail.com>:
> > > The thing is that there isn't (that I see) any way to know if a value
> > was
> > > passed by the user.
> >
> > What about escaping the strings, then?
> >
> > Antonio
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
>
>
> --
> "Hey you! Would you help me to carry the stone?" Pink Floyd
>



-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message