Chad Cravens created WW-4802:
--------------------------------
Summary: Strange Behavior Parsing Action Requests
Key: WW-4802
URL: https://issues.apache.org/jira/browse/WW-4802
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.31
Reporter: Chad Cravens
Priority: Minor
There seems to be something very odd about Struts method for parsing Action
requests. I am currently supporting a large Struts-based system, and have
noticed the following behavior in our application.
When a GET request is made to an action method we get the following expected
responses:
http://www.example.com/app/defined-action.action -> 200 OK
http://www.example.com/app/not-defined.action -> 404 NOT FOUND
However, whenever we introduce a space character (%20) anwhere in the action
name, Struts will return a 200 OK no matter whether the action exists or not.
For example, we are seeing the following behavior:
http://www.example.com/app/defined-action%20.action -> 200 OK
http://www.example.com/app/not-defined%20.action -> 200 OK
http://www.example.com/app/%20.action -> 200 OK
http://www.example.com/app/defined-actio.action -> 404 NOT FOUND
It seems that if the request ends in .action and has a %20 anywhere in the
name, Struts will always return 200 OK. I would assume that it should return
404.
We are actually running version 2.3.32
(https://struts.apache.org/docs/version-notes-2332.html) but this was not
available in the version selection dropdown, so I selected 2.3.31
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
