You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Andrea Vettori (Jira)" <ji...@apache.org> on 2020/01/29 13:46:00 UTC

[jira] [Created] (WW-5056) Standard Accepted Patterns in DefaultAcceptedPatternsChecker

Andrea Vettori created WW-5056:
----------------------------------

             Summary: Standard Accepted Patterns in DefaultAcceptedPatternsChecker
                 Key: WW-5056
                 URL: https://issues.apache.org/jira/browse/WW-5056
             Project: Struts 2
          Issue Type: Improvement
          Components: Core Interceptors
            Reporter: Andrea Vettori


Currently the regex used to match allowed parameters is

 

   public static final String[] ACCEPTED_PATTERNS = {
           "\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"
   };

 

For parameters that are mapped to a map, this restricts the keys to letters, numbers and underscore.

It would be nice to allow all characters that are allowed in POST data and URLs, for example a parameter like map['key-subkey'] is currently not allowed, but it should cause no harm.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)