Aaron created BEANUTILS-510: ------------------------------- Summary: Able to cause error 500 on any application running BeanUtils Key: BEANUTILS-510 URL: https://issues.apache.org/jira/browse/BEANUTILS-510 Project: Commons BeanUtils Issue Type: Bug Affects Versions: 1.9.3 Environment: * Reporter: Aaron
By adding the characters ;?[ to the end of a URL (before URL parameters, if there are any) on an application running BeanUtils, you are able to cause an HTTP error 500 on the application. Here is the stack trace: {{java.lang.IllegalArgumentException: Missing End Delimiter}} {{ at org.apache.commons.beanutils.expression.DefaultResolver.getIndex(DefaultResolver.java:90)}} {{ at org.apache.commons.beanutils.BeanUtilsBean.setProperty(BeanUtilsBean.java:913)}} {{ at org.apache.commons.beanutils.BeanUtilsBean.populate(BeanUtilsBean.java:823)}} {{ at org.apache.commons.beanutils.BeanUtils.populate(BeanUtils.java:431)}} {{ at org.apache.struts.util.RequestUtils.populate(RequestUtils.java:493)}} {{ at org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:816)}} {{ at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:203)}} {{ at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)}} {{ at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)}} {{ at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)}} {{ at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)}} -- This message was sent by Atlassian JIRA (v7.6.3#76005)