You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Lukasz Lenart (JIRA)" <ji...@apache.org> on 2016/06/26 20:27:52 UTC

[jira] [Comment Edited] (WW-4620) ParametersInterceptor should check collection index to against DOS

    [ https://issues.apache.org/jira/browse/WW-4620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15350225#comment-15350225 ] 

Lukasz Lenart edited comment on WW-4620 at 6/26/16 8:27 PM:
------------------------------------------------------------

But your example code expects parameter to be named as {{collection[]=1&collection[]=2}} but this isn't a proper naming for collection parameters - in Java world it will be simple the same parameter, i.e. {{collection=1&collection=2}}


was (Author: lukaszlenart):
But your example code expects parameter to names named as {{collection[]=1&collection[]=2}} but this isn't a proper naming for collection parameters - in Java world it will be simple the same parameter, i.e. {{collection=1&collection=2}}

> ParametersInterceptor should check collection index to against DOS
> ------------------------------------------------------------------
>
>                 Key: WW-4620
>                 URL: https://issues.apache.org/jira/browse/WW-4620
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Interceptors
>            Reporter: zhouyanming
>            Priority: Critical
>             Fix For: 2.3.30, 2.5.2
>
>
> https://dzone.com/articles/spring-initbinder-for-handling-large-list-of-java
> This is my workaround:
> {code:java}
> import org.apache.commons.lang3.StringUtils;
> import com.opensymphony.xwork2.interceptor.ParametersInterceptor;
> import com.opensymphony.xwork2.util.logging.Logger;
> import com.opensymphony.xwork2.util.logging.LoggerFactory;
> public class ParamsInterceptor extends ParametersInterceptor {
> 	private static final Logger LOG = LoggerFactory.getLogger(ParametersInterceptor.class);
> 	protected int autoGrowCollectionLimit = 255;
> 	public void setAutoGrowCollectionLimit(int autoGrowCollectionLimit) {
> 		this.autoGrowCollectionLimit = autoGrowCollectionLimit;
> 	}
> 	@Override
> 	protected boolean acceptableName(String name) {
> 		boolean b = super.acceptableName(name);
> 		if (b) {
> 			int start = name.indexOf('[');
> 			while (start > 0) {
> 				int end = name.indexOf(']', start);
> 				if (end < 0)
> 					break;
> 				String s = name.substring(start + 1, end);
> 				if (StringUtils.isNumeric(s)) {
> 					int index = Integer.valueOf(s);
> 					if (index > autoGrowCollectionLimit) {
> 						LOG.warn("Parameter \"#0\" exceed max index: [#1]", name, autoGrowCollectionLimit);
> 						return false;
> 					}
> 				}
> 				start = name.indexOf('[', end);
> 			}
> 		}
> 		return b;
> 	}
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)