[
https://issues.apache.org/jira/browse/WW-4090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13676398#comment-13676398
]
Johno Crawford commented on WW-4090:
------------------------------------
Might be nice to compile the regex pattern in the setter as oppose to every
request. In addition the new cleanupActionName seems to be misbehaving with
pretty urls.
2013-06-05 20:20:33,881 WARN [http-8080-exec-5]
(org.apache.struts2.dispatcher.mapper.DefaultActionMapper) Action [logout_ok]
do not match allowed action names pattern [[a-z]*[A-Z]*[0-9]*[.\-_!/]*],
cleaning it up! [userId=1 url=/account/logout_ok referer=null ip=127.0.0.1
parameters=[token:7f4a0dfce0]]
> Remote code execution via wildcard matching and double evaluation of OGNL
> expression
> ------------------------------------------------------------------------------------
>
> Key: WW-4090
> URL: https://issues.apache.org/jira/browse/WW-4090
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions, Expression Language
> Affects Versions: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.8,
> 2.1.8.1, 2.2.1, 2.2.1.1, 2.2.3, 2.2.3.1, 2.3.1, 2.3.1.1, 2.3.1.2, 2.3.3,
> 2.3.4, 2.3.4.1, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.14.1, 2.3.14.2
> Reporter: Lukasz Lenart
> Assignee: Lukasz Lenart
> Priority: Blocker
> Fix For: 2.3.14.3
>
>
> See http://struts.apache.org/development/2.x/docs/s2-015.html for more details
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
