You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Yasser Zamani (Jira)" <ji...@apache.org> on 2022/06/21 11:03:00 UTC

[jira] [Assigned] (WW-5194) UIBean.evaluateParams() throws an IllegalStateException when getting the nonce out of a session that has been invalidated.

     [ https://issues.apache.org/jira/browse/WW-5194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Yasser Zamani reassigned WW-5194:
---------------------------------

    Assignee: Yasser Zamani

> UIBean.evaluateParams() throws an IllegalStateException when getting the nonce out of a session that has been invalidated.
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WW-5194
>                 URL: https://issues.apache.org/jira/browse/WW-5194
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 6.0.0
>            Reporter: Joseph Wolschon
>            Assignee: Yasser Zamani
>            Priority: Minor
>              Labels: UIBean
>             Fix For: 6.0.1
>
>
> h2. Summary
> UIBean.evaluateParams() grabs the nonce out of the session without first checking that it exists, causing an IllegalStateException to be thrown if the session has been invalidated. This breaks our use case where we invalidate a session, but still want to use ActionError to convey information to the user. It doesn't appear that this change relates to removing double evaluations, so I would consider this a regression.
> h2. Triage
> This was introduced when [refactoring to fix double evaluations|https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669caL900]:
> {noformat}
> Object nonceValue = session != null ? session.get("nonce") : null;
> if (nonceValue != null){ 
>     addParameter("nonce", nonceValue.toString()); 
> }{noformat}
> The previous previous revision first checks that the key exists before attempting to pull it out:
> {noformat}
> if (session.containsKey("nonce")) {               
>    String nonceValue = session.get("nonce").toString();
>    addParameter("nonce", nonceValue);           
> }
> {noformat}
> h2. Proposed Fix
> Revert to the previous revision and first check that the session contains the nonce before getting it from the session.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)