You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Johno Crawford (JIRA)" <ji...@apache.org> on 2013/10/19 09:52:47 UTC
[jira] [Comment Edited] (WW-4066) Submitting form with parameters
using brackets while devMode=true yields StringIndexOutOfBoundsException
[ https://issues.apache.org/jira/browse/WW-4066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13799824#comment-13799824 ]
Johno Crawford edited comment on WW-4066 at 10/19/13 7:52 AM:
--------------------------------------------------------------
Sure, our apps are built on the original behaviour that global rules from struts.xml would be enforced. This allows us to avoid exploits such as http://struts.apache.org/release/2.3.x/docs/s2-009.html as implementing ParameterNameAware for an action will ignore rules defined in the acceptParamNames param tag. Now to get back the original behaviour we are having to subclass ParametersInterceptor and copy massive chunks of code as there is no easy way to override SecurityMemberAccess. Frankly speaking I would like to see a configuration option for the "new" behaviour and default to the original behaviour.
was (Author: johno):
Sure, our apps are built on the original behaviour that global rules from struts.xml would be enforced. This allows us to avoid exploits such as http://struts.apache.org/release/2.3.x/docs/s2-009.html as implementing ParameterNameAware for an action will ignore rules defined in the acceptParamNames param tag. Now to get back the original behaviour we are having to subclass ParametersInterceptor and copy massive chunks of code as there is no easy way to override SecurityMemberAccess.
> Submitting form with parameters using brackets while devMode=true yields StringIndexOutOfBoundsException
> --------------------------------------------------------------------------------------------------------
>
> Key: WW-4066
> URL: https://issues.apache.org/jira/browse/WW-4066
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.3.14
> Reporter: Chris Cranford
> Assignee: Lukasz Lenart
> Fix For: 2.3.16
>
> Attachments: ParametersInterceptor.java, testcase.zip
>
>
> Our BaseAction which extends ActionSupport overrides the addActionMessage() with the following:
> {code:java}
> @Override
> public void addActionMessage(String message) {
> super.addActionMessage(getText(message));
> }
> {code}
> With the above method in place during devMode=true, the following error stack trace occurs:
> {noformat}
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1871)
> at com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:426)
> at com.opensymphony.xwork2.util.LocalizedTextUtil.findText(LocalizedTextUtil.java:362)
> at com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:208)
> at com.opensymphony.xwork2.TextProviderSupport.getText(TextProviderSupport.java:123)
> at com.opensymphony.xwork2.ActionSupport.getText(ActionSupport.java:103)
> at com.setech.dw.common.web.BaseAction.addActionMessage(BaseAction.java:209)
> at com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:337)
> at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:241)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)