You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Jasper Rosenberg (JIRA)" <ji...@apache.org> on 2014/02/11 13:54:19 UTC

[jira] [Commented] (WW-4288) staticParams interceptor overwrites params conversion errors

    [ https://issues.apache.org/jira/browse/WW-4288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13897818#comment-13897818 ] 

Jasper Rosenberg commented on WW-4288:
--------------------------------------

A few more thoughts:

1. This could be fixed pretty easily I believe by simply changing that line in StaticParametersInterceptor (and the same in ParametersInterceptor) to merge the values of ActionContext.CONVERSION_ERRORS rather than overwrite them. (Either that or when creating newStack from stack, make sure the conversion errors are copied)

2. A workaround for the bug might be to include the conversionError interceptor after each params interceptor (I did a different temp hack which was to add a new interceptor after each params interceptor that saved and restored the value in ActionContext.CONVERSION_ERRORS)

3. It looks like this was broken on 2012-02-22 by issue WW-3760  

4. I think an argument can be made that this is actually a security issue.  If you were relying on type conversion errors from preventing malformed requests getting through, and had both parameter interceptors on your stack, it stopped working with the release of WW-3760.

> staticParams interceptor overwrites params conversion errors
> ------------------------------------------------------------
>
>                 Key: WW-4288
>                 URL: https://issues.apache.org/jira/browse/WW-4288
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.3.15.3
>            Reporter: Jasper Rosenberg
>             Fix For: 2.3.x
>
>
> Have a stack like:
> ...
> <interceptor-ref name="params">
> <interceptor-ref name="staticParams"/>
> ...
> <interceptor-ref name="conversionError"/>
> If have type conversion errors in params, they aren't seen by the conversionError interceptor.
> It looks like this in StaticParametersInterceptor:
> {code:java}
>                  if (clearableStack && (stack.getContext() != null) && (newStack.getContext() != null))
>                     stack.getContext().put(ActionContext.CONVERSION_ERRORS, newStack.getContext().get(ActionContext.CONVERSION_ERRORS));
> {code}
> ends up just overwriting the old value of ActionContext.CONVERSION_ERRORS rather than merging.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)