[
https://issues.apache.org/jira/browse/WW-3529?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-3529:
------------------------------
Description:
The com.opensymphony.xwork2.util.NamedVariablePatternMatcher class has a bug in
the {{compilePattern(String)}} method. The purpose of the method is to compile
patterns such as {{"action/\{foo}"}} to a regular expression Pattern and
extract the variable names that match each group in the regex. In the example
given and the 2.2.1 code base, the pattern will be compiled as
{{"action/([^/]+)"}}. However, if the pattern includes characters that have
special meaning to Java's regular expression engine, they are currently not
being escaped.
For example, the pattern "action.{format}" is being compiled to
{{"action.([^/]+)"}} which correctly matches {{"action.html"}} but also
{{"actionK.html"}} or any other character because the {{'.'}} is not escaped.
The bug really bites when a pattern like {{"{name}.{format}"}} is used. This
will be compiled to {{"([^/]+).([^/]+)"}} which will match {{"cars.html"}} but
not the way you expect. Because of greediness, it will set {{name =
"cars.ht"}} and {{format = "l"}}.
I will submit a patch to fix this behavior on the next screen.
was:
The com.opensymphony.xwork2.util.NamedVariablePatternMatcher class has a bug in
the {{compilePattern(String)}} method. The purpose of the method is to compile
patterns such as {{"action/{foo}"}} to a regular expression Pattern and extract
the variable names that match each group in the regex. In the example given
and the 2.2.1 code base, the pattern will be compiled as {{"action/([^/]+)"}}.
However, if the pattern includes characters that have special meaning to Java's
regular expression engine, they are currently not being escaped.
For example, the pattern "action.{format}" is being compiled to
{{"action.([^/]+)"}} which correctly matches {{"action.html"}} but also
{{"actionK.html"}} or any other character because the {{'.'}} is not escaped.
The bug really bites when a pattern like {{"{name}.{format}"}} is used. This
will be compiled to {{"([^/]+).([^/]+)"}} which will match {{"cars.html"}} but
not the way you expect. Because of greediness, it will set {{name =
"cars.ht"}} and {{format = "l"}}.
I will submit a patch to fix this behavior on the next screen.
> NamedVariablePatternMatcher does not properly escape characters
> ---------------------------------------------------------------
>
> Key: WW-3529
> URL: https://issues.apache.org/jira/browse/WW-3529
> Project: Struts 2
> Issue Type: Bug
> Components: Other
> Affects Versions: 2.2.1
> Reporter: Richard Vermillion
> Priority: Major
> Fix For: 6.1.0
>
> Attachments: NamedVariablePatternMatcher.patch
>
>
> The com.opensymphony.xwork2.util.NamedVariablePatternMatcher class has a bug
> in the {{compilePattern(String)}} method. The purpose of the method is to
> compile patterns such as {{"action/\{foo}"}} to a regular expression Pattern
> and extract the variable names that match each group in the regex. In the
> example given and the 2.2.1 code base, the pattern will be compiled as
> {{"action/([^/]+)"}}. However, if the pattern includes characters that have
> special meaning to Java's regular expression engine, they are currently not
> being escaped.
> For example, the pattern "action.{format}" is being compiled to
> {{"action.([^/]+)"}} which correctly matches {{"action.html"}} but also
> {{"actionK.html"}} or any other character because the {{'.'}} is not escaped.
> The bug really bites when a pattern like {{"{name}.{format}"}} is used.
> This will be compiled to {{"([^/]+).([^/]+)"}} which will match
> {{"cars.html"}} but not the way you expect. Because of greediness, it will
> set {{name = "cars.ht"}} and {{format = "l"}}.
> I will submit a patch to fix this behavior on the next screen.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
