Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4563

Regressions after upgrading to 2.3.24.1 to obtain security fix

    XMLWordPrintableJSON

Details

    • Important

    Description

      We recently tried to update from 2.3.16.3 to 2.3.4.1 based on
      https://struts.apache.org/docs/s2-026.html, we are hitting regressions issues due to a change in CookieInterceptor.

      It's currently using the same accepted_pattern to check out both name & value to pass around the cookies. When the cookie values are simple, it works. When the cookie value carries a special chars for example a url is the cookie value, it fails with the existing pattern and it is not passed to actions.

      I didn't find a way getting around this in the config and this has been a blocker for us to update to the version.

      Why are we checking for cookie values with the same hardcoded pattern only ? If there is a way to workaround this in the config?

      private static final String ACCEPTED_PATTERN = "[a-zA-Z0-9\\.\\]\\[_'
      s]+";
      .....
      protected boolean isAcceptableValue(String value)

      { return !isExcluded(value) && isAccepted(value); }

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. WW-4560 ParametersInterceptor check for valid values blocks many acceptable values using the same rules for parameters.

          • Major - Major loss of function.
          • Closed

          Activity

            People

              lukaszlenart Lukasz Lenart
              sypark Seolyoung Park
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: