You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Greg Huber (Jira)" <ji...@apache.org> on 2021/04/04 07:36:00 UTC

[jira] [Comment Edited] (WW-5115) Reduce logging for DMI excluded parameters

    [ https://issues.apache.org/jira/browse/WW-5115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314430#comment-17314430 ] 

Greg Huber edited comment on WW-5115 at 4/4/21, 7:35 AM:
---------------------------------------------------------

Initial remit was to reduce logging, not change the actual logic.  I tried the mod I still get

2021-04-04 08:23:03,016 WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor ParametersInterceptor:isAccepted - Parameter [action:myEdit!save] didn't match accepted pattern [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]! See Accepted / Excluded patterns at
https://struts.apache.org/security/#accepted--excluded-patterns

seems "name" = action:myEdit!save is not being ignored here?
{code:java}
 if (isIgnoredDMI(name)) {
        LOG.trace("DMI is enabled, ignoring DMI method: {}", name);
       return false;
 }
boolean accepted = isWithinLengthLimit(name) && !isExcluded(name) && isAccepted(name);
....
{code}


was (Author: gregh99):
Initial remit was to reduce logging, not change the actual logic.  I tried the mod I still get

2021-04-04 08:23:03,016 WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor ParametersInterceptor:isAccepted - Parameter [action:myEdit!save] didn't match accepted pattern [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]! See Accepted / Excluded patterns at
https://struts.apache.org/security/#accepted--excluded-patterns

seems "name" action:myEdit!save is not being ignored?
{code:java}
 if (isIgnoredDMI(name)) {
        LOG.trace("DMI is enabled, ignoring DMI method: {}", name);
       return false;
 }
boolean accepted = isWithinLengthLimit(name) && !isExcluded(name) && isAccepted(name);
....
{code}

> Reduce logging for DMI excluded parameters 
> -------------------------------------------
>
>                 Key: WW-5115
>                 URL: https://issues.apache.org/jira/browse/WW-5115
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.5.25
>            Reporter: Greg Huber
>            Assignee: Greg Huber
>            Priority: Minor
>             Fix For: 2.5.27, 2.6
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> There are unnecessary log warning when DMI is enabled, from the ParametersInterceptor.  
> WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor ParametersInterceptor:isAccepted - Parameter [action:myAction!save] didn't match accepted pattern [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]! See Accepted / Excluded patterns at https://struts.apache.org/security/#accepted--excluded-patterns
> eg the property 'action:myAction!save' should not be considered as a bean/property parameter, as its used as part of DMI to submit the form.
> Any property which matches the DMI method invocation "^(action|method):.*" needs to be silently ignored and not logged in devMode=true.
> DMI_AWARE_ACCEPTED_PATTERNS can also be dropped from DefaultAcceptedPatternsChecker as the DMI action|method would never be a form property.
> public static final String[] DMI_AWARE_ACCEPTED_PATTERNS = {
>             "\\w+([:]?\\w+)?((\\.\\w+)|(\\[\\d+])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*([!]?\\w+)?"
> };



--
This message was sent by Atlassian Jira
(v8.3.4#803005)