Return-Path: X-Original-To: apmail-struts-issues-archive@minotaur.apache.org Delivered-To: apmail-struts-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F09B4177C7 for ; Wed, 15 Apr 2015 09:41:33 +0000 (UTC) Received: (qmail 39629 invoked by uid 500); 15 Apr 2015 09:40:59 -0000 Delivered-To: apmail-struts-issues-archive@struts.apache.org Received: (qmail 39586 invoked by uid 500); 15 Apr 2015 09:40:59 -0000 Mailing-List: contact issues-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list issues@struts.apache.org Received: (qmail 39574 invoked by uid 99); 15 Apr 2015 09:40:59 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Apr 2015 09:40:59 +0000 Date: Wed, 15 Apr 2015 09:40:59 +0000 (UTC) From: "Lukasz Lenart (JIRA)" To: issues@struts.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (WW-4486) Default parameter exclusions blocking legitimate values MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/WW-4486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14495935#comment-14495935 ] Lukasz Lenart commented on WW-4486: ----------------------------------- hm... basically the real issue here is {{classLoader}} not the {{class}} itself. > Default parameter exclusions blocking legitimate values > ------------------------------------------------------- > > Key: WW-4486 > URL: https://issues.apache.org/jira/browse/WW-4486 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors > Affects Versions: 2.3.20 > Reporter: Jasper Rosenberg > Priority: Critical > Fix For: 2.5 > > > In ParametersInterceptor.setParameters(), when building acceptableParameters(), it applies the check isAcceptableValue not just just to the parameter name, but also to the parameter value. This is a huge problem because the default excludedPatterns include phrases that will come up in normal user form submissions. > For example, the way I discovered this is that one pattern is "(.*\.|^|.*|\[('|"))\bclass(\.|('|")]|\[).*" > We are a car site, so when a user tried to post a message about a Mercedes M class: "That's M class. You asked for G class, different beast!" > The "class." at the end of the first sentence was rejected and so their post failed. > What is the reason for applying the exclusion patterns wholesale to the parameter value? Is it even necessary at all, or is there some kind of escape character that normally tells ognl to evaluate an expression in the value, in which case we could check for exclusion pattern matches just within those? > As it is though, the current solution is going to cause some occasional very peculiar behavior for developers. Not sure if this should actually be a blocker bug since the only reasonable workaround seems to be to hack the ParametersInterceptor locally (since one shouldn't remove the exclusion patterns in general). -- This message was sent by Atlassian JIRA (v6.3.4#6332)