[jira] Commented: (WW-2782) 2.0.11.1 Websphere Workaround Incorrect

[Kevin Decker (JIRA)]

    [ 
https://issues.apache.org/struts/browse/WW-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45232#action_45232
 ] 

Kevin Decker commented on WW-2782:
----------------------------------

We intend to upgrade to the latest version of struts in the near future. Our QA 
department isn't scheduled to examine the branch that the struts upgrade will 
be going into for quite some time so I will try to test this myself and update 
the bug with the results.

> 2.0.11.1 Websphere Workaround Incorrect
> ---------------------------------------
>
>                 Key: WW-2782
>                 URL: https://issues.apache.org/struts/browse/WW-2782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.0.11.2
>            Reporter: Kevin Decker
>
> From all of the documentation that I could find regarding resolutions for the 
> S2-003 security bulletin, effectively involve one of two paths if websphere 
> support is required. Both of these workarounds failed within my testing 
> environment.
> 1) Use annotations for validation.
> I was not able to make this work. It seemed as though Websphere would fail 
> any time there was a validation interceptor on the stack. I was also unable 
> to get a root cause stack frame due to my unfamilarity with the Websphere 
> architecture and the root cause being masked by the FileNotFoundException 
> filter issue. Punted on this solution due to time constraints.
> 2) Use excludeParams to filter out possibly malicous parameter names.
> It appears that the reg ex given for this filter is incorrect.
> Given filter: <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
> When this was applied to the params interceptor, the config parser converted 
> this into the java string defined by the following:
> ".*[[^\\\\p{Graph}][\\\\\\\\#:=]].*"
> Breaking the \p{Graph} class, causing this expression to match just about 
> anything that has characters outside of this set [Graphp{}\] (unescaped 
> string).
> This XML fragment appears to resolve the issue:
>  <param name="excludeParams">.*[[^\p{Graph}][\\#:=]].*</param>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.