[
https://issues.apache.org/jira/browse/WW-4486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-4486:
------------------------------
Fix Version/s: 2.5
> Default parameter exclusions blocking legitimate values
> -------------------------------------------------------
>
> Key: WW-4486
> URL: https://issues.apache.org/jira/browse/WW-4486
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 2.3.20
> Reporter: Jasper Rosenberg
> Priority: Critical
> Fix For: 2.5
>
>
> In ParametersInterceptor.setParameters(), when building
> acceptableParameters(), it applies the check isAcceptableValue not just just
> to the parameter name, but also to the parameter value. This is a huge
> problem because the default excludedPatterns include phrases that will come
> up in normal user form submissions.
> For example, the way I discovered this is that one pattern is
> "(.*\.|^|.*|\[('|"))\bclass(\.|('|")]|\[).*"
> We are a car site, so when a user tried to post a message about a Mercedes M
> class: "That's M class. You asked for G class, different beast!"
> The "class." at the end of the first sentence was rejected and so their post
> failed.
> What is the reason for applying the exclusion patterns wholesale to the
> parameter value? Is it even necessary at all, or is there some kind of
> escape character that normally tells ognl to evaluate an expression in the
> value, in which case we could check for exclusion pattern matches just within
> those?
> As it is though, the current solution is going to cause some occasional very
> peculiar behavior for developers. Not sure if this should actually be a
> blocker bug since the only reasonable workaround seems to be to hack the
> ParametersInterceptor locally (since one shouldn't remove the exclusion
> patterns in general).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
