[jira] [Commented] (WW-5115) Reduce logging for DMI excluded parameters

[Lukasz Lenart (Jira)]

    [ 
https://issues.apache.org/jira/browse/WW-5115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17271083#comment-17271083
 ] 

Lukasz Lenart commented on WW-5115:
-----------------------------------

As far I understand the problem is with too much log entries because of 
excluded parameters? If so, I would add a flag (or even a few) to log or not 
the excluded parameters regardless {{devMode}} is on or off.

{code:java}
    private boolean logExcludedParameters = false;
    private boolean logAcceptedParameters = false;
    private boolean logOverLengthLimitParameters = false;

    protected boolean isExcluded(String paramName) {
        ExcludedPatternsChecker.IsExcluded result = 
excludedPatterns.isExcluded(paramName);
        if (result.isExcluded()) {
            if (devMode && logExcludedParameters) { // warn only when in devMode
   ....
{code}

and then in {{struts.xml}}

{code:xml}
                <interceptor-ref name="params">
                    <param name="logExcludedParameters">true</param>
                    <param name="logAcceptedParameters">false</param>
                    <param name="logOverLengthLimitParameters">true</param>
                </interceptor-ref>
{code}

if that works I can prepare a PR.

> Reduce logging for DMI excluded parameters 
> -------------------------------------------
>
>                 Key: WW-5115
>                 URL: https://issues.apache.org/jira/browse/WW-5115
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.5.25
>            Reporter: Greg Huber
>            Assignee: Greg Huber
>            Priority: Minor
>             Fix For: 2.5.27
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> There are unnecessary log warning when DMI is enabled, from the 
> ParametersInterceptor.  
> WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor 
> ParametersInterceptor:isAccepted - Parameter [action:myAction!save] didn't 
> match accepted pattern 
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
>  See Accepted / Excluded patterns at 
> https://struts.apache.org/security/#accepted--excluded-patterns
> eg the property 'action:myAction!save' should not be considered as a 
> bean/property parameter, as its used as part of DMI to submit the form.
> Any property which matches the DMI method invocation "^(action|method):.*" 
> needs to be silently ignored and not logged in devMode=true.
> DMI_AWARE_ACCEPTED_PATTERNS can also be dropped from 
> DefaultAcceptedPatternsChecker as the DMI action|method would never be a form 
> property.
> public static final String[] DMI_AWARE_ACCEPTED_PATTERNS = {
>             
> "\\w+([:]?\\w+)?((\\.\\w+)|(\\[\\d+])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*([!]?\\w+)?"
> };



--
This message was sent by Atlassian Jira
(v8.3.4#803005)