struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Briers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4098) DefaultActionMapper is cleaning up correct action names
Date Thu, 06 Jun 2013 07:20:20 GMT

    [ https://issues.apache.org/jira/browse/WW-4098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13676789#comment-13676789
] 

Tom Briers commented on WW-4098:
--------------------------------

Hmm, it seems there will not be a fasttrack for this and we will be using 2.3.14.3 in production
so I'll be using the quickfix:
{code}
<constant name"struts.allowed.action.names" value="[a-zA-Z0-9._!/\-]*"/>
{code}

Thank you for the quick reply!
                
> DefaultActionMapper is cleaning up correct action names
> -------------------------------------------------------
>
>                 Key: WW-4098
>                 URL: https://issues.apache.org/jira/browse/WW-4098
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.3.14.3
>            Reporter: Tom Briers
>            Assignee: Lukasz Lenart
>             Fix For: 2.3.15
>
>
> With the new security release I'm seeing warnings in my logs for 'correct' action names:
> 08:57:39,711 WARN  [DefaultActionMapper] Action [getCamelCase] do not match allowed action
names pattern [[a-z]*[A-Z]*[0-9]*[.\-_!/]*], cleaning it up!
> It seems to be linked to actions in camelCase.  I believe those are correct.
> The current pattern to check is the following: [a-z]*[A-Z]*[0-9]*[.\\-_!/]*
> I think it should be something like follows: [a-zA-Z0-9.\\-_!/]*
> I did a quick test with the following results:
> {code}
> 	public static void main(String[] args)
> 	{
> 		String currentPattern = "[a-z]*[A-Z]*[0-9]*[.\\-_!/]*";
> 		String newPattern = "[a-zA-Z0-9.\\-_!/]*";
> 		System.out.println("test".matches(currentPattern)); //true
> 		System.out.println("testCamel".matches(currentPattern)); //false
> 		System.out.println("test".matches(newPattern));  //true
> 		System.out.println("testCamel".matches(newPattern)); //true
> }
> {code}
> Please beware that I am not a regex specialist so review it carefully.
> 	

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message