Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.0.11.2
-
None
Description
From all of the documentation that I could find regarding resolutions for the S2-003 security bulletin, effectively involve one of two paths if websphere support is required. Both of these workarounds failed within my testing environment.
1) Use annotations for validation.
I was not able to make this work. It seemed as though Websphere would fail any time there was a validation interceptor on the stack. I was also unable to get a root cause stack frame due to my unfamilarity with the Websphere architecture and the root cause being masked by the FileNotFoundException filter issue. Punted on this solution due to time constraints.
2) Use excludeParams to filter out possibly malicous parameter names.
It appears that the reg ex given for this filter is incorrect.
Given filter: <param name="excludeParams">.*[[^
p
When this was applied to the params interceptor, the config parser converted this into the java string defined by the following:
".*[[^\\\\p{Graph}
]\\\\\\\\#:=].*"
Breaking the \p
{Graph} class, causing this expression to match just about anything that has characters outside of this set [Graphp{}] (unescaped string).This XML fragment appears to resolve the issue:
<param name="excludeParams">.*[[^\p{Graph}
]\\#:=].*</param>