[jira] Commented: (WW-2782) 2.0.11.1 Websphere Workaround Incorrect

Tue, 09 Dec 2008 10:25:58 -0800 

    [ 
https://issues.apache.org/struts/browse/WW-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45206#action_45206
 ] 

James Holmes commented on WW-2782:
----------------------------------

Is this even an issue now that Struts 2.0.14 has been released? Have you tried 
using the latest 2.0.14 release?

> 2.0.11.1 Websphere Workaround Incorrect
> ---------------------------------------
>
>                 Key: WW-2782
>                 URL: https://issues.apache.org/struts/browse/WW-2782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.0.11.2
>            Reporter: Kevin Decker
>
> From all of the documentation that I could find regarding resolutions for the 
> S2-003 security bulletin, effectively involve one of two paths if websphere 
> support is required. Both of these workarounds failed within my testing 
> environment.
> 1) Use annotations for validation.
> I was not able to make this work. It seemed as though Websphere would fail 
> any time there was a validation interceptor on the stack. I was also unable 
> to get a root cause stack frame due to my unfamilarity with the Websphere 
> architecture and the root cause being masked by the FileNotFoundException 
> filter issue. Punted on this solution due to time constraints.
> 2) Use excludeParams to filter out possibly malicous parameter names.
> It appears that the reg ex given for this filter is incorrect.
> Given filter: <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
> When this was applied to the params interceptor, the config parser converted 
> this into the java string defined by the following:
> ".*[[^\\\\p{Graph}][\\\\\\\\#:=]].*"
> Breaking the \p{Graph} class, causing this expression to match just about 
> anything that has characters outside of this set [Graphp{}\] (unescaped 
> string).
> This XML fragment appears to resolve the issue:
>  <param name="excludeParams">.*[[^\p{Graph}][\\#:=]].*</param>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to