You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Chad Cravens (JIRA)" <ji...@apache.org> on 2017/06/13 14:38:00 UTC

[jira] [Created] (WW-4802) Strange Behavior Parsing Action Requests

Chad Cravens created WW-4802:
--------------------------------

             Summary: Strange Behavior Parsing Action Requests
                 Key: WW-4802
                 URL: https://issues.apache.org/jira/browse/WW-4802
             Project: Struts 2
          Issue Type: Bug
    Affects Versions: 2.3.31
            Reporter: Chad Cravens
            Priority: Minor


There seems to be something very odd about Struts method for parsing Action requests. I am currently supporting a large Struts-based system, and have noticed the following behavior in our application.

When a GET request is made to an action method we get the following expected responses:
http://www.example.com/app/defined-action.action  ->  200 OK
http://www.example.com/app/not-defined.action  ->  404 NOT FOUND

However, whenever we introduce a space character (%20) anwhere in the action name, Struts will return a 200 OK no matter whether the action exists or not. For example, we are seeing the following behavior:

http://www.example.com/app/defined-action%20.action  ->  200 OK
http://www.example.com/app/not-defined%20.action  ->  200 OK
http://www.example.com/app/%20.action  ->  200 OK
http://www.example.com/app/defined-actio.action  ->  404 NOT FOUND

It seems that if the request ends in .action and has a %20 anywhere in the name, Struts will always return 200 OK. I would assume that it should return 404.

We are actually running version 2.3.32 (https://struts.apache.org/docs/version-notes-2332.html) but this was not available in the version selection dropdown, so I selected 2.3.31



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)