struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "victorsosa (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4620) ParametersInterceptor should check collection index to against DOS
Date Mon, 27 Jun 2016 13:53:52 GMT

    [ https://issues.apache.org/jira/browse/WW-4620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15351035#comment-15351035
] 

victorsosa commented on WW-4620:
--------------------------------

I don't think Struts support params collections in anyway, right now. And yes this patch doesn't
take in account collection itself; but rather the list size parameter as I said before, also
as Lukasz said in Java the collections are different. I am waiting for [~lukaszlenart] anwser
in this case.

> ParametersInterceptor should check collection index to against DOS
> ------------------------------------------------------------------
>
>                 Key: WW-4620
>                 URL: https://issues.apache.org/jira/browse/WW-4620
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Interceptors
>            Reporter: zhouyanming
>            Priority: Critical
>             Fix For: 2.3.30, 2.5.2
>
>
> https://dzone.com/articles/spring-initbinder-for-handling-large-list-of-java
> This is my workaround:
> {code:java}
> import org.apache.commons.lang3.StringUtils;
> import com.opensymphony.xwork2.interceptor.ParametersInterceptor;
> import com.opensymphony.xwork2.util.logging.Logger;
> import com.opensymphony.xwork2.util.logging.LoggerFactory;
> public class ParamsInterceptor extends ParametersInterceptor {
> 	private static final Logger LOG = LoggerFactory.getLogger(ParametersInterceptor.class);
> 	protected int autoGrowCollectionLimit = 255;
> 	public void setAutoGrowCollectionLimit(int autoGrowCollectionLimit) {
> 		this.autoGrowCollectionLimit = autoGrowCollectionLimit;
> 	}
> 	@Override
> 	protected boolean acceptableName(String name) {
> 		boolean b = super.acceptableName(name);
> 		if (b) {
> 			int start = name.indexOf('[');
> 			while (start > 0) {
> 				int end = name.indexOf(']', start);
> 				if (end < 0)
> 					break;
> 				String s = name.substring(start + 1, end);
> 				if (StringUtils.isNumeric(s)) {
> 					int index = Integer.valueOf(s);
> 					if (index > autoGrowCollectionLimit) {
> 						LOG.warn("Parameter \"#0\" exceed max index: [#1]", name, autoGrowCollectionLimit);
> 						return false;
> 					}
> 				}
> 				start = name.indexOf('[', end);
> 			}
> 		}
> 		return b;
> 	}
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message