[
https://issues.apache.org/jira/browse/WW-4620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15350315#comment-15350315
]
ASF GitHub Bot commented on WW-4620:
------------------------------------
GitHub user victorsosa opened a pull request:
https://github.com/apache/struts/pull/104
WW-4620 ParametersInterceptor should check collection index to against DOS
ParametersInterceptor should check collection index to against DOS
Check the parameters map to have only 255 objects to avoid DOS.
https://dzone.com/articles/spring-initbinder-for-handling-large-list-of-java
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/victorsosa/struts WW-4620
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/struts/pull/104.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #104
----
commit d93bcf9ff5c643cd3c64074085dc81ba6785385a
Author: victorsosa <victor.s...@peopleware.do>
Date: 2016-06-26T23:01:43Z
WW-4620
ParametersInterceptor should check collection index to against DOS
commit cacb3a62c6f3efa416e30a85a3a5a320cb63d6b3
Author: victorsosa <victor.s...@peopleware.do>
Date: 2016-06-26T23:27:17Z
small fix set parameter AutoGrowCollectionLimit
commit 31a788d7b19fe8a7e4ee16bcc2f42111baeed93b
Author: victorsosa <victor.s...@peopleware.do>
Date: 2016-06-27T00:36:01Z
add test cases
----
> ParametersInterceptor should check collection index to against DOS
> ------------------------------------------------------------------
>
> Key: WW-4620
> URL: https://issues.apache.org/jira/browse/WW-4620
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Reporter: zhouyanming
> Priority: Critical
> Fix For: 2.3.30, 2.5.2
>
>
> https://dzone.com/articles/spring-initbinder-for-handling-large-list-of-java
> This is my workaround:
> {code:java}
> import org.apache.commons.lang3.StringUtils;
> import com.opensymphony.xwork2.interceptor.ParametersInterceptor;
> import com.opensymphony.xwork2.util.logging.Logger;
> import com.opensymphony.xwork2.util.logging.LoggerFactory;
> public class ParamsInterceptor extends ParametersInterceptor {
> private static final Logger LOG =
> LoggerFactory.getLogger(ParametersInterceptor.class);
> protected int autoGrowCollectionLimit = 255;
> public void setAutoGrowCollectionLimit(int autoGrowCollectionLimit) {
> this.autoGrowCollectionLimit = autoGrowCollectionLimit;
> }
> @Override
> protected boolean acceptableName(String name) {
> boolean b = super.acceptableName(name);
> if (b) {
> int start = name.indexOf('[');
> while (start > 0) {
> int end = name.indexOf(']', start);
> if (end < 0)
> break;
> String s = name.substring(start + 1, end);
> if (StringUtils.isNumeric(s)) {
> int index = Integer.valueOf(s);
> if (index > autoGrowCollectionLimit) {
> LOG.warn("Parameter \"#0\"
> exceed max index: [#1]", name, autoGrowCollectionLimit);
> return false;
> }
> }
> start = name.indexOf('[', end);
> }
> }
> return b;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
