You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Andrea Vettori (Jira)" <ji...@apache.org> on 2020/01/29 13:46:00 UTC
[jira] [Created] (WW-5056) Standard Accepted Patterns in
DefaultAcceptedPatternsChecker
Andrea Vettori created WW-5056:
----------------------------------
Summary: Standard Accepted Patterns in DefaultAcceptedPatternsChecker
Key: WW-5056
URL: https://issues.apache.org/jira/browse/WW-5056
Project: Struts 2
Issue Type: Improvement
Components: Core Interceptors
Reporter: Andrea Vettori
Currently the regex used to match allowed parameters is
public static final String[] ACCEPTED_PATTERNS = {
"\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"
};
For parameters that are mapped to a map, this restricts the keys to letters, numbers and underscore.
It would be nice to allow all characters that are allowed in POST data and URLs, for example a parameter like map['key-subkey'] is currently not allowed, but it should cause no harm.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)