[
https://issues.apache.org/jira/browse/WW-4563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15167499#comment-15167499
]
ASF subversion and git services commented on WW-4563:
-----------------------------------------------------
Commit 41227fab823c7078d1f4879eefbfe39230191571 in struts's branch
refs/heads/master from [~lukaszlenart]
[ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=41227fa ]
WW-4563 Reverts checking if value is excluded and uses Internal Security
Mechanism
> Regressions after upgrading to 2.3.24.1 to obtain security fix
> --------------------------------------------------------------
>
> Key: WW-4563
> URL: https://issues.apache.org/jira/browse/WW-4563
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 2.3.24
> Reporter: Seolyoung Park
> Assignee: Lukasz Lenart
> Labels: security
> Fix For: 2.3.25, 2.5
>
>
> We recently tried to update from 2.3.16.3 to 2.3.4.1 based on
> https://struts.apache.org/docs/s2-026.html, we are hitting regressions issues
> due to a change in CookieInterceptor.
> It's currently using the same accepted_pattern to check out both name & value
> to pass around the cookies. When the cookie values are simple, it works.
> When the cookie value carries a special chars for example a url is the cookie
> value, it fails with the existing pattern and it is not passed to actions.
> I didn't find a way getting around this in the config and this has been a
> blocker for us to update to the version.
> Why are we checking for cookie values with the same hardcoded pattern only ?
> If there is a way to workaround this in the config?
> private static final String ACCEPTED_PATTERN =
> "[a-zA-Z0-9\\.\\]\\[_'\\s]+";
> .....
> protected boolean isAcceptableValue(String value) {
> return !isExcluded(value) && isAccepted(value);
> }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
