[jira] [Updated] (WW-5056) Standard Accepted Patterns in DefaultAcceptedPatternsChecker

Lukasz Lenart (Jira) Thu, 30 Jan 2020 00:48:23 -0800


     [ 
https://issues.apache.org/jira/browse/WW-5056?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Lukasz Lenart updated WW-5056:
------------------------------
    Fix Version/s: 2.6

> Standard Accepted Patterns in DefaultAcceptedPatternsChecker
> ------------------------------------------------------------
>
>                 Key: WW-5056
>                 URL: https://issues.apache.org/jira/browse/WW-5056
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Interceptors
>            Reporter: Andrea Vettori
>            Priority: Minor
>             Fix For: 2.6
>
>
> Currently the regex used to match allowed parameters is
>  
>    public static final String[] ACCEPTED_PATTERNS = {
>            
> "\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"
>    };
>  
> For parameters that are mapped to a map, this restricts the keys to letters, 
> numbers and underscore.
> It would be nice to allow all characters that are allowed in POST data and 
> URLs, for example a parameter like map['key-subkey'] is currently not 
> allowed, but it should cause no harm.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (WW-5056) Standard Accepted Patterns in DefaultAcceptedPatternsChecker

Reply via email to