[jira] Commented: (WW-2782) 2.0.11.1 Websphere Workaround Incorrect

[Kevin Decker (JIRA)]

    [ 
https://issues.apache.org/struts/browse/WW-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45239#action_45239
 ] 

Kevin Decker commented on WW-2782:
----------------------------------

Updated to 2.0.14, removed the excludeParams param and did a quick test within 
our app. Everything seems fine. I don't believe this bug is still an issue 
since the docs in question were for a short term work around that a fix has 
been released for.

> 2.0.11.1 Websphere Workaround Incorrect
> ---------------------------------------
>
>                 Key: WW-2782
>                 URL: https://issues.apache.org/struts/browse/WW-2782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.0.11.2
>            Reporter: Kevin Decker
>
> From all of the documentation that I could find regarding resolutions for the 
> S2-003 security bulletin, effectively involve one of two paths if websphere 
> support is required. Both of these workarounds failed within my testing 
> environment.
> 1) Use annotations for validation.
> I was not able to make this work. It seemed as though Websphere would fail 
> any time there was a validation interceptor on the stack. I was also unable 
> to get a root cause stack frame due to my unfamilarity with the Websphere 
> architecture and the root cause being masked by the FileNotFoundException 
> filter issue. Punted on this solution due to time constraints.
> 2) Use excludeParams to filter out possibly malicous parameter names.
> It appears that the reg ex given for this filter is incorrect.
> Given filter: <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
> When this was applied to the params interceptor, the config parser converted 
> this into the java string defined by the following:
> ".*[[^\\\\p{Graph}][\\\\\\\\#:=]].*"
> Breaking the \p{Graph} class, causing this expression to match just about 
> anything that has characters outside of this set [Graphp{}\] (unescaped 
> string).
> This XML fragment appears to resolve the issue:
>  <param name="excludeParams">.*[[^\p{Graph}][\\#:=]].*</param>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.