struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pablo Lozano (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4560) ParametersInterceptor check for valid values blocks many acceptable values using the same rules for parameters.
Date Wed, 04 Nov 2015 17:56:27 GMT

    [ https://issues.apache.org/jira/browse/WW-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14990038#comment-14990038
] 

Pablo Lozano commented on WW-4560:
----------------------------------

Thanks for the quick response.

I will check if we can override the interceptor as it is the easiest way. But I wouldn't like
to introduce any security issues if there was a valid reason.
>From what I can see on https://struts.apache.org/docs/s2-015.html it looks like it was
fixed before 2.3.20. Could this change be to also apply the same fix for values or similar?

What could be done is use a separate list for excluded/accepted values, although that would
require migration from users who are already depending on the exclusion list to validate values.

The main thing here is that some of our developers seem to have used the excluded params list
to avoid altering certain special parameters on the controllers that are pre-injected.
But with this change it means users cannot input values that match with the name of a parameter.

This probably became visible by a bad practice used on our side as I would expect that this
change could have impacted many other struts users and it hasn't.

Adding a separate list for excluded values seems easy to implement. My knowledge on the insides
of struts is very limited but I could try and send a patch.

> ParametersInterceptor check for valid values blocks many acceptable values using the
same rules for parameters.
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: WW-4560
>                 URL: https://issues.apache.org/jira/browse/WW-4560
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.3.20, 2.3.24
>            Reporter: Pablo Lozano
>              Labels: Interceptors, validation
>             Fix For: 2.3.25
>
>
> Commit :5ebc0643b55d728a6713a82559a594d875452cd8
> Added an extra check to validate also parameter Values. Before it only checked if the
parameter is accepted.
> This extra check is not allowing some values to be used as they are being blocked which
should be perfectly valid values. 
> The same rules to validate parameters should not be the same for the values.
> Is there a reason why this is implemented this way?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message