[
https://issues.apache.org/jira/browse/WW-5115?focusedWorklogId=587760&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-587760
]
ASF GitHub Bot logged work on WW-5115:
--------------------------------------
Author: ASF GitHub Bot
Created on: 23/Apr/21 10:03
Start Date: 23/Apr/21 10:03
Worklog Time Spent: 10m
Work Description: yasserzamani commented on pull request #469:
URL: https://github.com/apache/struts/pull/469#issuecomment-825549392
I think your DMI isn't enabled at all because I see that
DefaultAcceptedPatternsChecker setAcceptedPatterns(DMI_AWARE_ACCEPTED_PATTERNS)
when DMI is enabled but in same time I see that in this PR description, the
logged accepted pattern isn't DMI_AWARE_ACCEPTED_PATTERNS. It is
ACCEPTED_PATTERNS which starts with \w+((\., provided
DMI_AWARE_ACCEPTED_PATTERNS starts with \w+([:].
Otherwise (if it's enabled really) it should work as per tested
[testDmiIsEnabled](https://github.com/apache/struts/blob/09f969a9bebe31370df64702a61420f14ead6271/core/src/test/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsCheckerTest.java#L205).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 587760)
Time Spent: 1h 20m (was: 1h 10m)
> Reduce logging for DMI excluded parameters
> -------------------------------------------
>
> Key: WW-5115
> URL: https://issues.apache.org/jira/browse/WW-5115
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.5.25
> Reporter: Greg Huber
> Priority: Minor
> Fix For: 2.5.27, 2.6
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> There are unnecessary log warning when DMI is enabled, from the
> ParametersInterceptor.
> WARN com.opensymphony.xwork2.interceptor.ParametersInterceptor
> ParametersInterceptor:isAccepted - Parameter [action:myAction!save] didn't
> match accepted pattern
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
> See Accepted / Excluded patterns at
> https://struts.apache.org/security/#accepted--excluded-patterns
> eg the property 'action:myAction!save' should not be considered as a
> bean/property parameter, as its used as part of DMI to submit the form.
> Any property which matches the DMI method invocation "^(action|method):.*"
> needs to be silently ignored and not logged in devMode=true.
> DMI_AWARE_ACCEPTED_PATTERNS can also be dropped from
> DefaultAcceptedPatternsChecker as the DMI action|method would never be a form
> property.
> public static final String[] DMI_AWARE_ACCEPTED_PATTERNS = {
>
> "\\w+([:]?\\w+)?((\\.\\w+)|(\\[\\d+])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*([!]?\\w+)?"
> };
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
