I have now had a few uploads blocked mainly due to sentence punctuation
in the image name ie apostrophe and ampersand symbols.
It would be better here to just escape the string and warn rather than
just block it, requiring the user to remove the characters is a waste of
time as this can easily be done in the code.
Most apps would/should be sanitizing upload file names especially in
downloaded images. Rather than an alphanumeric replace this works well
for ascii (I have had many attempts at this🙁)
Normalizer.normalize(fileName,
Normalizer.Form.NFD).replaceAll("([^\\p{ASCII}])", "");
On 09/02/2025 08:45, Lukasz Lenart wrote:
This is rather a hardening to avoid potential feature security
vulnerabilities. In ParametersInterceptor we do not allow some certain
names of the parameters and the same should be used for uploading and
any other "user input".
Maybe it would be good to create one the same mechanism which can be
shared by any interceptor/action :thinking:
pt., 7 lut 2025 o 13:02 Greg Huber<gregh3...@gmail.com> napisał(a):
What is this actually escaping? Stuff that can mess with the system?
Not had any uploads bounce so far.
On 05/02/2025 04:20, Kusal Kithul-Godage wrote:
I've just tested this with the Confluence Data Center application.
The file name filtering is actually causing a user experience regression for us.
Previously, we were able to validate the filename manually and display
the user an error - "Unsupported characters in file name". Now that
the file is discarded immediately, it shows the user an "Upload not
found" error which is not accurate.
I think the new validation should also add a LocalizedMessage that can
be retrieved by MultiPartRequest#getErrors like we have for other
validations. What do you think?
On Tue, Feb 4, 2025 at 5:59 PM Lukasz Lenart<lukaszlen...@apache.org> wrote:
Hello,
This is a patch release of Struts 6.x.x which contains only
non-breaking changes. Please take the time and test the bits - any
help is appreciated. Please report any problems you will spot.
Here are the changes from the previous version:
https://github.com/apache/struts/releases/tag/STRUTS_6_7_2
Staging Maven repo
https://repository.apache.org/content/groups/staging/
Standalone artifacts
https://dist.apache.org/repos/dist/dev/struts/6.7.2/
Release notes
https://cwiki.apache.org/confluence/display/WW/Version+Notes+6.7.2
Kind regards
--
Łukasz
---------------------------------------------------------------------
To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
For additional commands,e-mail:dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
For additional commands,e-mail:dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org
For additional commands, e-mail:dev-h...@struts.apache.org
