Mirek Hankus created WW-5276:
--------------------------------
Summary: Cleanup method of request is not called
Key: WW-5276
URL: https://issues.apache.org/jira/browse/WW-5276
Project: Struts 2
Issue Type: Bug
Affects Versions: 6.1.1
Reporter: Mirek Hankus
After upgrading to 6.1.1 we have noticed that cleanup method of custom
MultiPartRequest is not called by struts.
It may be related to
[https://github.com/apache/struts/commit/69102e907551a87335231656320c8484072bdecb]
as before variable "request" was overwritten with wrapped request and cleanup
was called in finally section
After this commit new variable is created called "wrappedRequest", but cleanup
is called only on original request, and new wrappedRequest is not cleaned up at
all.
Below is respective code fragment
{code:java}
HttpServletRequest wrappedRequest = prepare.wrapRequest(request);
ActionMapping mapping =
prepare.findActionMapping(wrappedRequest, response, true);
if (mapping == null) {
LOG.trace("Cannot find mapping for {}, passing to other
filters", uri);
chain.doFilter(request, response);
} else {
LOG.trace("Found mapping {} for {}", mapping, uri);
execute.executeAction(wrappedRequest, response,
mapping);
}
}
}
} finally {
prepare.cleanupRequest(request);
}{code}
This bug causes a lot of resource problems, and can result in denial of service
condition for application (or making application not compliant - as sensitive
information is not properly discarded).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
