[jira] [Commented] (WW-4288) staticParams interceptor overwrites params conversion errors

Tue, 11 Feb 2014 04:55:31 -0800 

    [ 
https://issues.apache.org/jira/browse/WW-4288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13897818#comment-13897818
 ] 

Jasper Rosenberg commented on WW-4288:
--------------------------------------

A few more thoughts:

1. This could be fixed pretty easily I believe by simply changing that line in 
StaticParametersInterceptor (and the same in ParametersInterceptor) to merge 
the values of ActionContext.CONVERSION_ERRORS rather than overwrite them. 
(Either that or when creating newStack from stack, make sure the conversion 
errors are copied)

2. A workaround for the bug might be to include the conversionError interceptor 
after each params interceptor (I did a different temp hack which was to add a 
new interceptor after each params interceptor that saved and restored the value 
in ActionContext.CONVERSION_ERRORS)

3. It looks like this was broken on 2012-02-22 by issue WW-3760  

4. I think an argument can be made that this is actually a security issue.  If 
you were relying on type conversion errors from preventing malformed requests 
getting through, and had both parameter interceptors on your stack, it stopped 
working with the release of WW-3760.

> staticParams interceptor overwrites params conversion errors
> ------------------------------------------------------------
>
>                 Key: WW-4288
>                 URL: https://issues.apache.org/jira/browse/WW-4288
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.3.15.3
>            Reporter: Jasper Rosenberg
>             Fix For: 2.3.x
>
>
> Have a stack like:
> ...
> <interceptor-ref name="params">
> <interceptor-ref name="staticParams"/>
> ...
> <interceptor-ref name="conversionError"/>
> If have type conversion errors in params, they aren't seen by the 
> conversionError interceptor.
> It looks like this in StaticParametersInterceptor:
> {code:java}
>                  if (clearableStack && (stack.getContext() != null) && 
> (newStack.getContext() != null))
>                     stack.getContext().put(ActionContext.CONVERSION_ERRORS, 
> newStack.getContext().get(ActionContext.CONVERSION_ERRORS));
> {code}
> ends up just overwriting the old value of ActionContext.CONVERSION_ERRORS 
> rather than merging.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to