[jira] [Commented] (WW-4560) ParametersInterceptor check for valid values blocks many acceptable values using the same rules for parameters.

Wed, 04 Nov 2015 09:56:55 -0800 

    [ 
https://issues.apache.org/jira/browse/WW-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14990038#comment-14990038
 ] 

Pablo Lozano commented on WW-4560:
----------------------------------

Thanks for the quick response.

I will check if we can override the interceptor as it is the easiest way. But I 
wouldn't like to introduce any security issues if there was a valid reason.
>From what I can see on https://struts.apache.org/docs/s2-015.html it looks 
>like it was fixed before 2.3.20. Could this change be to also apply the same 
>fix for values or similar?

What could be done is use a separate list for excluded/accepted values, 
although that would require migration from users who are already depending on 
the exclusion list to validate values.

The main thing here is that some of our developers seem to have used the 
excluded params list to avoid altering certain special parameters on the 
controllers that are pre-injected.
But with this change it means users cannot input values that match with the 
name of a parameter.

This probably became visible by a bad practice used on our side as I would 
expect that this change could have impacted many other struts users and it 
hasn't.

Adding a separate list for excluded values seems easy to implement. My 
knowledge on the insides of struts is very limited but I could try and send a 
patch.

> ParametersInterceptor check for valid values blocks many acceptable values 
> using the same rules for parameters.
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: WW-4560
>                 URL: https://issues.apache.org/jira/browse/WW-4560
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Interceptors
>    Affects Versions: 2.3.20, 2.3.24
>            Reporter: Pablo Lozano
>              Labels: Interceptors, validation
>             Fix For: 2.3.25
>
>
> Commit :5ebc0643b55d728a6713a82559a594d875452cd8
> Added an extra check to validate also parameter Values. Before it only 
> checked if the parameter is accepted.
> This extra check is not allowing some values to be used as they are being 
> blocked which should be perfectly valid values. 
> The same rules to validate parameters should not be the same for the values.
> Is there a reason why this is implemented this way?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to