I've been having issues with map keys in struts and I finally tracked it down 
to the pattern here:


Which is:


This apparently restricts map keys to strings of word characters [a-zA-Z0-9_] 
or virtually all of the 20,950 characters in the CJK Unified Ideographs (why 
does it stop at 9FA5 and not 9FFF or 9FD5?). Is there some justification for 
which characters were allowed here, and why things like spaces and slashes are 
excluded? It seems like you could allow anything except for single quotes and 
you'd be safe, right?

I've read through all of the following which seemed to be either directly or 
indirectly related to the issue:





Some of the messages say that allowing spaces is a security vulnerability, but 
how could that be? Isn't foo['hello world'] and foo['hello/world'] just as safe 
as foo['hello_world'] ? The actual security vulnerabilities seem related to 
other forms parameter values (using #, or forms that aren't inside single 
quoted strings).

This commit:


Changed the testParametersWithSpacesInTheName test to expect spaces not to work 
rather than to work. But the commit message doesn't explain why.

Actually looks like the test has flipped back and forth between expecting 
spaces to work and not work a few times. I just found what I believe is the 
earliest commit that has a reference to not accepting spaces (only accessible 
via tags that are not ancestors of master):


That commit also doesn't explain why spaces shouldn't be allowed.

-Steven Willis

Reply via email to