Seolyoung Park created WW-4563:
----------------------------------
Summary: Regressions after upgrading to 2.3.24.1 to obtain
security fix
Key: WW-4563
URL: https://issues.apache.org/jira/browse/WW-4563
Project: Struts 2
Issue Type: Bug
Components: Core Interceptors
Affects Versions: 2.3.24
Reporter: Seolyoung Park
We recently tried to update from 2.3.16.3 to 2.3.4.1 based on
https://struts.apache.org/docs/s2-026.html, we are hitting regressions issues
due to a change in CookieInterceptor.
It's currently using the same accepted_pattern to check out both name & value
to pass around the cookies. When the cookie values are simple, it works. When
the cookie value carries a special chars for example a url is the cookie value,
it fails with the existing pattern and it is not passed to actions.
I didn't find a way getting around this in the config and this has been a
blocker for us to update to the version.
Why are we checking for cookie values with the same hardcoded pattern only ?
If there is a way to workaround this in the config?
private static final String ACCEPTED_PATTERN = "[a-zA-Z0-9\\.\\]\\[_'\\s]+";
.....
protected boolean isAcceptableValue(String value) {
return !isExcluded(value) && isAccepted(value);
}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
