struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4563) Regressions after upgrading to 2.3.24.1 to obtain security fix
Date Thu, 25 Feb 2016 18:34:18 GMT

    [ https://issues.apache.org/jira/browse/WW-4563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15167604#comment-15167604
] 

Hudson commented on WW-4563:
----------------------------

SUCCESS: Integrated in Struts-JDK7-master #429 (See [https://builds.apache.org/job/Struts-JDK7-master/429/])
WW-4563 Reverts checking if value is excluded and uses Internal Security (lukaszlenart: rev
41227fab823c7078d1f4879eefbfe39230191571)
* core/src/main/java/org/apache/struts2/interceptor/CookieInterceptor.java
* core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java


> Regressions after upgrading to 2.3.24.1 to obtain security fix
> --------------------------------------------------------------
>
>                 Key: WW-4563
>                 URL: https://issues.apache.org/jira/browse/WW-4563
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.3.24
>            Reporter: Seolyoung Park
>            Assignee: Lukasz Lenart
>              Labels: security
>             Fix For: 2.3.25, 2.5
>
>
> We recently tried to update from 2.3.16.3 to 2.3.4.1  based on 
> https://struts.apache.org/docs/s2-026.html, we are hitting regressions issues due to
a change in CookieInterceptor.  
> It's currently using the same accepted_pattern to check out both name & value to
pass around the cookies. When the cookie values are simple, it works.  When the cookie value
carries a special chars for example a url is the cookie value, it fails with the existing
pattern and it is not passed to actions. 
> I didn't find a way getting around this in the config and this has been a blocker for
us to update to the version.
> Why are we checking for cookie values with the same hardcoded pattern only ?  If there
is a way to workaround this in the config? 
>     private static final String ACCEPTED_PATTERN = "[a-zA-Z0-9\\.\\]\\[_'\\s]+";
>     .....    
> protected boolean isAcceptableValue(String value) {
>         return !isExcluded(value) && isAccepted(value);
>     }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message