2.0.11.1 Websphere Workaround Incorrect
---------------------------------------
Key: WW-2782
URL: https://issues.apache.org/struts/browse/WW-2782
Project: Struts 2
Issue Type: Bug
Components: Documentation
Affects Versions: 2.0.11.2
Reporter: Kevin Decker
>From all of the documentation that I could find regarding resolutions for the
>S2-003 security bulletin, effectively involve one of two paths if websphere
>support is required. Both of these workarounds failed within my testing
>environment.
1) Use annotations for validation.
I was not able to make this work. It seemed as though Websphere would fail any
time there was a validation interceptor on the stack. I was also unable to get
a root cause stack frame due to my unfamilarity with the Websphere architecture
and the root cause being masked by the FileNotFoundException filter issue.
Punted on this solution due to time constraints.
2) Use excludeParams to filter out possibly malicous parameter names.
It appears that the reg ex given for this filter is incorrect.
Given filter: <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
When this was applied to the params interceptor, the config parser converted
this into the java string defined by the following:
".*[[^\\\\p{Graph}][\\\\\\\\#:=]].*"
Breaking the \p{Graph} class, causing this expression to match just about
anything that has characters outside of this set [Graphp{}\] (unescaped string).
This XML fragment appears to resolve the issue:
<param name="excludeParams">.*[[^\p{Graph}][\\#:=]].*</param>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
